Iranian APT Agrius Deploys Data Wiper Malware in Supply-Chain Attacks

Agrius’ attack targets

• The group was observed launching credential harvesting tools on an Israeli software developer network, probably in preparation to deploy Fantasy with the wiper execution tool Sandals.
• The attackers waited for about a month to launch the data-wiping attacks. 
• Subsequently, they launched attacks against a South African organization working in the diamond industry, Israeli organizations, and a jeweler in Hong Kong.

Agrius’ arsenal and behavior

• In addition to the above malware, Agrius deploys several tools such as MiniDump, SecretsDump, and Host2IP to target victim systems.
• These tools collect usernames, passwords, and hostnames required for Sandals to successfully spread and execute Fantasy data wiper.
• After destructing the data, the wiper deletes itself from the system and reboots the system. Experts suggest that recovery is possible with data recovery tools.
• The operators use the PsExec tool to blend into the administrative activity on victims’ systems and for ease of batch file execution.

Recent data wiping incidents

• Recently, in the disguise of ransomware, CryWiper, a data-wiping malware, was discovered targeting Russia’s mayor's offices and courts.
• Last month, Azov Ransomware was observed being circulated via pirated software, adware bundles, and key generators in its data-wiping operations.
• In August, Fortinet researchers discovered that several wiper variants were targeting private, government, and military organizations in Ukraine and other countries.

Conclusion