Over the past year, an Iran-linked threat actor named Agrius has been observed launching destructive attacks on Israeli targets, under the disguise of ransomware attacks, according to endpoint security company SentinelOne.
Likely state-sponsored, the threat group initially engaged in cyberespionage attacks, but then attempted to extort victims, claiming to have exfiltrated and encrypted data. The recovery of the impacted files, however, was not possible, due to the destructive nature of the attack.
Dubbed Apostle, the wiper used in these attacks was later updated with encryption capabilities, becoming a fully-functional piece of ransomware.
“The similarity to its wiper version, as well as the nature of the target in the context of regional disputes, leads us to believe that the operators behind it are utilizing ransomware for its disruptive capabilities,” SentinelOne says.
Vulnerabilities in Internet-facing applications are leveraged for intrusion, including CVE-2018-13379, a high-severity path traversal vulnerability in the FortiOS SSL VPN web portal, and various security bugs in other web-based applications.
Agrius, the researchers say, uses VPN services to connect to victims’ environments, and employs webshells (mainly variations of ASPXSpy) to tunnel RDP traffic and exploit compromised accounts for lateral movement.
The attackers also employ publicly available tools to harvest credentials and expand their foothold into the compromised environment. They also deploy their own .NET backdoor dubbed IPsec Helper onto targets of interest, to steal data and deploy more payloads when necessary.
In addition to Apostle, the threat group was observed using a wiper called DEADWOOD, which was previously used in an attack against a target in Saudi Arabia in 2019. Most of the adversary’s targets, however, are from Israel, and are likely chosen opportunistically, SentinelOne researchers believe.
Apostle shares code similarities with IPsec Helper, likely because they are both developed in-house. An initial version of the malware contained only wiping capabilities, but failed to perform the action as expected, which led to the deployment of the DEADWOOD wiper.
This year, the threat actor came up with a second variant of Apostle, which features ransomware capabilities, but employs the old wiping method for deleting the original files after encryption.
During their investigation, SentinelOne researchers did not find links between Agrius’ techniques, tools, and infrastructure and known threat actors, but did identify evidence suggesting the adversary operates out of Iran.
“Agrius is a new threat group that we assess with medium confidence to be of Iranian origin, engaged in both espionage and disruptive activity. The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organizations in the Middle East,” SentinelOne notes.
The researchers also point out that the group might be part of a larger, coordinated Iranian strategy that also includes the recently disclosed Pay2Key attacks. However, the destructive nature of Agrius’ attacks, which continued into May 2021, suggests that the group is not financially motivated.