[BreachExchange] Iranian hacking group Agrius pretends to encrypt files for a ransom, destroys them instead

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Jun 8 12:48:24 EDT 2021


https://www.zdnet.com/article/iranian-hacking-group-agrius-pretends-to-encrypt-files-for-a-ransom-destroys-it-instead/

The Agrius hacking group has shifted from using purely destructive wiper
malware to a combination of wiper and ransomware functionality -- and will
pretend to hold data to ransom as a final stage in attacks.

In an analysis of the threat group's latest movements, SentinelOne
researchers said on Tuesday that Agrius was first spotted in attacks
against Israeli targets in 2020.

The group uses a combination of its own custom toolsets and readily
available offensive security software to deploy either a destructive wiper
or a custom wiper-turned-ransomware variant.

However, unlike ransomware groups such as Maze and Conti, it doesn't appear
that Agrius is purely motivated by money -- instead, the use of ransomware
is a new addition and a bolt-on to attacks focused on cyberespionage and
destruction.

Furthermore, in some attacks traced by SentinelOne when only a wiper was
deployed, Agrius would pretend to have stolen and encrypted information to
extort victims -- but this information had already been destroyed by the
wiper.

Agrius "intentionally masked their activity as a ransomware attack," the
researchers say, while actually engaging in destructive attacks against
Israeli targets.

The researchers suspect the group is state-sponsored.

During the first stages of an attack, Agrius will use virtual private
network (VPN) software while accessing public-facing apps or services
belonging to its intended victim before attempting an exploit, often
through compromised accounts and software vulnerabilities.

For example, a vulnerability in FortiOS, tracked as CVE-2018-13379, has
been widely used in exploit attempts against targets in Israel.

If successful, webshells are then deployed, public cybersecurity tools are
used for credential harvesting and network movement, and malware payloads
are then deployed.

Agrius' toolkit includes Deadwood (also known as Detbosit), a destructive
wiper malware strain. Deadwood was linked to attacks against Saudi Arabia
during 2019, thought to be the work of APT33.

Both APT33 and APT34 have been connected to the use of wipers including
Deadwood, Shamoon, and ZeroCleare.

During attacks, Agrius also drop a custom .NET backdoor called IPsec Helper
for persistence and to create a connection with a command-and-control (C2)
server. In addition, the group will drop a novel .NET wiper dubbed Apostle.

IPsec Helper and Apostle appear to be the work of the same developer.

In a recent attack against a state-owned facility in the United Arab
Emirates, Apostle appears to have been improved and modified to contain
functional ransomware components. However, the team believes it is the
destructive elements of ransomware -- such as the ability to encrypt files
-- rather than the financial lure that Agrius is focusing on during
development.

"We believe the implementation of the encryption functionality is there to
mask its actual intention -- destroying victim data," the researchers say.
"This thesis is supported by an early version of Apostle that the
attacker's internally named 'wiper-action'. This early version was deployed
in an attempt to wipe data, but failed to do so possibly due to a logic
flaw in the malware. The flawed execution led to the deployment of the
Deadwood wiper. This, of course, did not prevent the attackers from asking
for a ransom."

SentinelOne says that no "solid" connections to other, established threat
groups have been made, but due to Agrius' interests in Iranian issues, the
deployment of web shells with ties to Iranian-built variants, and the use
of wipers in the first place -- an attack technique linked to Iranian APTs
as far back as 2002 -- indicate the group is likely to be of Iranian
origin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210608/fcef72e9/attachment.html>


More information about the BreachExchange mailing list