Agrius Iranian Hacking Group Targets Israel
The Iranian hacking Group Has Been Observed Disguising Attacks Against Israeli Targets as Ransomware Attacks.
A new threat actor dubbed Agrius was observed by the researchers at SentinelOne operating in Israel in 2020. It looks like the attackers behind Agrius have shifted towards the use of extortion of their targets, claiming they stole and encrypted their data.
The analysis of what seemed to be a classic ransomware attack revealed new variants of wipers deployed in a set of destructive attacks against Israeli targets.
It can be considered very interesting that the operators behind the attacks are intentionally hiding their activity as ransomware attacks, this being an uncommon behavior for financially motivated groups, therefore making us consider the fact that they could be a nation-sponsored threat group.
Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activity as ransomware attacks.
We believe the implementation of the encryption functionality is there to mask its actual intention: destroying victim data.
This thesis is supported by an early version of Apostle that the attacker’s internally named ‘wiper-action.’ This early version was deployed in an attempt to wipe data but failed to do so possibly due to a logic flaw in the malware.
The flawed execution led to the deployment of the DEADWOOD wiper. This, of course, did not prevent the attackers from asking for a ransom.
The group uses a combination of tools and already available software in order to deploy a variety of destructive wiper techniques such as destructive wiper or custom wiper-turned-ransomware variant.
Unlike other ransomware groups such as Maze and Conti, Agrius does not seem to be motivated by money. Instead, it seems to be using the threat in order to carry out espionage and destruction, as in some attacks in which only a wiper was deployed, the attacker group would pretend to have stolen and encrypted information to extort victims, but this information would have already been destroyed by the wiper.
In the first stages of an attack, Agrius will make use of virtual private network software, and access public-facing apps or services belonging to its intended victim before trying an exploit, usually using compromised accounts and software vulnerabilities.
One example is a vulnerability discovered in FortiOS, tracked as CVE-2018-13379, that has been widely used in exploit attempts against targets in Israel.
If the attack is successful, web shells are then to be deployed and public cybersecurity tools will be used for credential harvesting and network movement, in order to make it easier for the malware payloads to be deployed.
In the Agrius toolkit, there was found a destructive wiper malware strain, known as Deadwood or Detbosit, linked previously to attacks against Saudi Arabia in 2019.
In its attacks, Agrius will drop a custom .NET backdoor called IPsec Helper. This will provide persistence and will create a connection with a command-and-control (C2) server, allowing the group to later drop a novel .NET wiper dubbed as Apostle.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
A recent attack against a state-owned facility in the United Arab Emirates showed that Apostle has been improved and modified to contain functional ransomware components, but the researchers believe that the hackers are focusing more on its destructive elements of ransomware like its ability to encrypt files, than on its financial lure.