Heimdal
article featured image

Contents:

A series of data wiper assaults targeting the diamond industry in South Africa, Israel, and Hong Kong have been ascribed to the Iranian advanced persistent threat (APT) actor Agrius.

The wiper, known as Fantasy, is said to have been distributed through a supply-chain attack that was launched in February 2022 and targeted an Israeli software suite developer. Victims of the malware also include HR firms and IT consulting companies.

Security researchers reported that the Fantasy wiper is built on the foundation of a previously reported malware, Apostle, but unlike Apostle, Fantasy is not attempting to masquerade as ransomware, instead, it goes right to data wiping.

Details on Agrius and Fantasy

Using known security holes in internet-facing applications, Agrius, the Iran-aligned group responsible for the intrusions, has been operating since at least December 2020. It drops web shells, which are then used to facilitate reconnaissance, lateral movement, and the delivery of final-stage payloads.

The initial attack was detected on February 20th, 2022, when Agrius deployed credential harvesting tools in the IT system of a South African organization. Later, on March 12, 2022, Agrius launched the wipe attack through Fantasy before simultaneously attacking other businesses in Israel and Hong Kong.

Fantasy is executed through another tool called Sandals, which is a 32-bit Windows executable written in C#/.NET. To be deployed on the compromised host, the malware is sent through a supply-chain attack by using the software update mechanism of the Israeli developer.

The wiper operates by recursively getting the directory listing for every drive, overwriting each file in those folders with garbage data, giving the files a future timestamp, and then deleting them. For Fantasy to erase all traces of activity, it clears all Windows event logs, purges all the files in the system drive, overwrites the system’s Master Boot Record, self-deletes itself, and reboots the machine.

The campaign lasted three hours before security experts managed to stop the attacks of the threat group. The Israeli company whose software has been used to spread the malware has since pushed clean updates to plug the attack.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE