Cybersecurity company ESET has reported that Agrius, an advanced persistent threat (APT) actor with connections to Iran, is employing a new wiper in operations against targets in South Africa, Hong Kong, and Israel. Agrius is a threat actor operating since at least 2020, concentrating mostly on victims in Israel and the United Arab Emirates and using security holes for initial access.
The adversary was earlier observed employing Apostle wiper malware that eventually evolved into full-fledged ransomware. The recently discovered wiper, known as Fantasy, is based on Apostle but does not try to pass itself off as ransomware. Agrius targeted an Israeli software developer offering a software package to businesses in the diamond sector as part of the recent attacks. The threat actor was able to infect the developer’s clients with the new Fantasy wiper due to the supply chain attack.
In March 2022, around three weeks after the company had been infected with credential-harvesting tools, most likely in preparation for the wiping assault, Fantasy was first applied against a South African diamond sector enterprise. Agrius used the Fantasy execution tool Sandals to launch the wiper after undertaking reconnaissance and lateral movement. Fantasy and Sandals, written in C# and .NET, were later employed in assaults against targets in Israel and Hong Kong.
ESET discovered five victims of Fantasy. They were an Israeli diamond distributor, an HR consulting company, an IT support services provider, a South African organization from the diamond business, and a Hong Kong jeweler. The Fantasy wiper was titled identically to the genuine program, and it was run on all victim PCs from the \Temp directory for 2.5 hours. All victims were clients of the software developer. Since all victims used PsExec, Agrius was able to blend in.
The software provider only sent clean updates hours after the attack, which lasted for less than three hours. According to ESET, it attempted to get in touch with the software provider about the possible intrusion but got no answer. Other tools used in the assault were Host2IP (hostname resolver), SecretsDump (hashes dumper), and MiniDump (for collecting credentials from LSASS dumps). Sandals employed these tools to gather private data like usernames, passwords, and hostnames, which they then exploited for lateral movement and to carry out the wiper.
“Sandals does not write the Fantasy wiper to remote systems. We believe that the Fantasy wiper is deployed via a supply-chain attack using the software developer’s software update mechanism,” ESET notes.
The wiping process used by Fantasy involves changing the contents of the targeted files before destroying them. The wiper attempts to erase every file on the system disk, clears the file system cache memory, overwrites the system’s Master Boot Record, and deletes itself. It also cleans out all Windows event logs. Since the majority of Fantasy’s code base is a straight copy of Apostle’s, several of its functionalities have only been marginally altered, and numerous execution flow similarities have also been noted. ESET said that Agrius is likely responsible for this malware as well.