Agrius Wiper linked to Iran in action
Share this:
An Iranian APT group known as Agrius has conducted supply chain-focused attacks against the diamond industry in three continents.
ESET threat intelligence team analyzed a supply chain attack targeted at an Israeli software developer to deploy Fantasy, Agrius’s new wiper.
The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware as Apostle. Instead, it wipes data. Victims were observed in South Africa, Israel and Hong Kong.
The victims in Israel included an IT support services company, a diamond seller, and an HR consulting firm. Victims in South African victims were an organization in the diamond industry, and the Hong Kong victim was a jeweler.
Agrius TTP typically exploits known vulnerabilities in internet-facing applications to install web shells. It conducts internal reconnaissance before moving laterally and deploying its malicious payloads.
Agrius operators possibly executed a supply-chain attack by targeting the Israeli software company’s software updating mechanisms to deploy Fantasy to victims in Israel, Hong Kong, and South Africa. It makes no effort to disguise itself as ransomware. Agrius operators used a new tool, Sandals, to connect remotely to systems and execute Fantasy.
Indicators of Compromise
- 1A62031BBB2C3F55D44F59917FD32E4ED2041224
- 820AD7E30B4C54692D07B29361AECD0BB14DF3BE
- 1AAE62ACEE3C04A6728F9EDC3756FABD6E342252
- 5485C627922A71B04D4C78FBC25985CDB163313B
- DB11CBFFE30E0094D6DE48259C5A919C1EB57108
- 3228E6BC8C738781176E65EBBC0EB52020A44866
- B3B1EDD6B80AF0CDADADD1EE1448056E6E1B3274
