A new attack group called Agrius is launching damaging wiper attacks against Israeli targets, which researchers observed are hiding behind ransomware to make their state-sponsored activities appear financially motivated.
The group is using ransomware intended to make its espionage & destruction efforts appear financially motivated.
Sentinel Labs analysts said they have been tracking Agrius’ operations in Israel since 2020 & have observed the evolution of the group’s malware, Apostle, to include ransomware functionality.
Researchers added that the wiper attacks were conducted using a secondary malware called “Deadwood” (a.k.a. “Detbosit”), which Sentinel Labs stated has “unconfirmed links to an Iranian threat group.”
Analysts observed Agrius move its approach from carrying out basic espionage to asking victims for money to retrieve their data — even though the data was destroyed & could not be returned for any amount of money.
“An analysis of what at 1st sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,” Sentinel Labs explained.
“The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behaviour for financially motivated groups. Considering this & the nature of the known targets, we assess this is a nation-sponsored threat group.”
Often, the attack group takes advantage of publicly available 1-day exploits in web-based apps or SQL injection for initial access, according to the analysis.
Agrius uses a VPN service, most often it’s ProtonVPN, Sentinel Labs explained, to anonymously access a victim’s system & deploys a web shell, which for this group is most often a variant of the open-source ASPXSpy malware. The attackers use the web shells to harvest credentials & move laterally throughout the network.
“Upon successful exploitation, the threat actor uploads a web shell,” Sentinel Labs explained. “Those web shells are used to tunnel traffic into the network in order to leverage compromised credentials to move laterally using Remote Desktop Protocol.”
“3 of the web shells were uploaded from Iran, while the rest were uploaded from Pakistan, Saudi Arabia & the United Arab Emirates,” the report explained. “Although we cannot confirm this implementation is exclusive to Agrius, it is apparent it is limited to regional actors, most likely Iranian.”
Then, backdoor malware called “IPsec Helper” intermittently checks for an internet connection by connecting to pre-determined Microsoft servers to grab the Apostle .NET malware.
Sentinel Labs traced the earliest wiper iteration of Apostle back to Nov. when it was used to target an Israeli organisation.
“Apostle is a .NET malware whose functionality iteratively developed from a wiper to full-fledged ransomware,” the report outlined. “We believe the implementation of the encryption functionality is there to mask its actual intention: Destroying victim data.”
Agrius also targeted state-owned critical infrastructure inside the United Arab Emirates, which Sentinel Labs observed is “well known for having been previously targeted by suspected Iranian threat actors.”
Ransomware has been used successfully in the past as a way for state actors to avoid direct blame for attacks, according to Sentinel Labs, which pointed to NotPetya attacks from 2017 & Russian state-sponsored attackers who targeted intelligence agencies in the west.
Just this month, another wave of attacks from “n3tw0rm” ransomware group targeting Israel & linked to Iran, suggesting these could all be part of a bigger effort.
“The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organisations in the Middle East,” the report commented about the attack group.
“In some cases, the group leveraged its access to deploy destructive wiper malware, & in others a custom ransomware. Considering this, we find it unlikely that Agrius is a financially motivated threat actor.”