Agrius

A new attack group called Agrius is launching damaging wiper attacks against Israeli targets, which hiding behind ransomware to make their state-sponsored activities appear financially motivated.

Researchers added that the wiper attacks were conducted using a secondary malware called “Deadwood” which Sentinel Labs said has “unconfirmed links to an Iranian threat group.”

Analysts observed Agrius shift its approach from carrying out basic espionage to asking victims for money to retrieve their data even though the data was destroyed and couldn’t be returned for any amount of money.

Agrius Tactics

The attack group takes advantage of publicly available 1-day exploits in web-based apps or SQL injection for initial access.

Agrius uses a VPN service, most often it’s ProtonVPN, to anonymously access a victim’s system and deploys a web shell, which for this group is most often a variant of the open-source ASPXSpy malware. The attackers use the web shells to harvest credentials and move laterally throughout the network.

Once exploited, the threat actor uploads a web shell. Those web shells are used to tunnel traffic into the network in order to leverage compromised credentials to move laterally using RDP

Three of the web shells were uploaded from Iran, while the rest were uploaded from Pakistan, Saudi Arabia and the United Arab Emirates.

From there, backdoor malware called “IPsec Helper” intermittently checks for an internet connection by connecting to pre-determined Microsoft servers to grab the Apostle .NET malware whose functionality iteratively developed from a wiper to full-fledged ransomware, deleting the victim data permanently

Agrius also targeted state-owned critical infrastructure inside the United Arab Emirates, which is “well known for having been previously targeted by suspected Iranian threat actors.”