A new attack group called Agrius is launching damaging wiper attacks against Israeli targets, which researchers said are hiding behind ransomware to make their state-sponsored activities appear financially motivated.
Sentinel Labs analysts said they have been tracking Agrius’ operations in Israel since 2020 and have observed the evolution of the group’s malware, Apostle, to include ransomware functionality. Researchers added that the wiper attacks were conducted using a secondary malware called “Deadwood” (a.k.a. “Detbosit”), which Sentinel Labs said has “unconfirmed links to an Iranian threat group.”
Analysts observed Agrius shift its approach from carrying out basic espionage to asking victims for money to retrieve their data — even though the data was destroyed and couldn’t be returned for any amount of money.
“An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,” Sentinel Labs explained. “The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups. Considering this and the nature of the known targets, we assess this is a nation-sponsored threat group.”
Agrius Evolving Tactics
Most often, the attack group takes advantage of publicly available 1-day exploits in web-based apps or SQL injection for initial access, according to the analysis.
Agrius uses a VPN service, most often it’s ProtonVPN, Sentinel Labs said, to anonymously access a victim’s system and deploys a web shell, which for this group is most often a variant of the open-source ASPXSpy malware. The attackers use the web shells to harvest credentials and move laterally throughout the network.
“Upon successful exploitation, the threat actor uploads a web shell,” Sentinel Labs explained. “Those web shells are used to tunnel traffic into the network in order to leverage compromised credentials to move laterally using Remote Desktop Protocol.”
Agrius was observed using different web shells, which analysts said were largely ASPXSpy variants.
“Three of the web shells were uploaded from Iran, while the rest were uploaded from Pakistan, Saudi Arabia and the United Arab Emirates,” the report explained. “Although we cannot confirm this implementation is exclusive to Agrius, it is apparent it is limited to regional actors, most likely Iranian.”
From there, backdoor malware called “IPsec Helper” intermittently checks for an internet connection by connecting to pre-determined Microsoft servers to grab the Apostle .NET malware.
Sentinel Labs traced the earliest wiper iteration of Apostle back to November, when it was used to target an Israeli organization.
“Apostle is a .NET malware whose functionality iteratively developed from a wiper to full-fledged ransomware,” the report said. “We believe the implementation of the encryption functionality is there to mask its actual intention: Destroying victim data.”
Agrius also targeted state-owned critical infrastructure inside the United Arab Emirates, which Sentinel Labs said is “well known for having been previously targeted by suspected Iranian threat actors.”
Ransomware Isn’t Always What It Seems
Ransomware has been used successfully in the past as a way for state actors to avoid direct blame for attacks, according to Sentinel Labs, which pointed to NotPetya attacks from 2017 and Russian state-sponsored attackers who targeted intelligence agencies in the west. And just this month, another wave of attacks from “n3tw0rm” ransomware group targeting Israel and linked to Iran, suggesting these could all be part of a bigger effort.
“The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organizations in the Middle East,” the report said about the attack group. “In some cases, the group leveraged its access to deploy destructive wiper malware, and in others a custom ransomware. Considering this, we find it unlikely that Agrius is a financially motivated threat actor.”
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.