Agrius, a suspected Iranian threat actor, had recently carried out a ransomware attack on the Bar-Ilan University in Israel. The group reportedly used a new variant of Apostle ransomware.

What was discovered?

According to SentinelLabs, the Agrius group carried out a ransomware attack on the Israeli university Bar-Ilan on August 15.
  • The group used a new and customized encrypted and obfuscated variant of Apostle.
  • The ransomware was compressed as a resource in a Jennlog loader, disguised as log files.
  • After infection, the malware not only drops the ransom note but also replaces the wallpaper on the victim’s machine with a picture of a clown. 

The Jennlog connection

  • Jennlog is a .NET loader that deobfuscates, decompresses, and decrypts a .NET executable from a resource embedded within the file.
  • The resource in the loader appears as log files, which contain the binary to run as well as a configuration required for the execution of the malware.
  • The configuration of Jennlog has 13 values, of which 12 were used in the new variant of the malware.

Modus Operandi

  • Prior to running the Apostle ransomware payload, the Jennlog loader first makes sure that it is not being executed in an analysis environment based on an embedded configuration. 
  • Further analysis of the Jennlog loader revealed another variant of Jennlog that loaded and executed OrcusRAT. The other variant is very similar to the one used in the loading Apostle ransomware.


Agrius group is actively upgrading its arsenal to perform ransomware operations efficiently. It is essential that security teams and agencies keep an eye on this threat to avoid any surprise attacks.

Cyware Publisher