Iranian hacking group Agrius pretends to encrypt files for a ransom, destroys them instead

The relatively new threat group has been connected to attacks against Israeli targets.

The Agrius hacking group has shifted from using purely destructive wiper malware to a combination of wiper and ransomware functionality -- and will pretend to hold data to ransom as a final stage in attacks. 

In an analysis of the threat group's latest movements, SentinelOne researchers said on Tuesday that Agrius was first spotted in attacks against Israeli targets in 2020.

The group uses a combination of its own custom toolsets and readily available offensive security software to deploy either a destructive wiper or a custom wiper-turned-ransomware variant. 

However, unlike ransomware groups such as Maze and Conti, it doesn't appear that Agrius is purely motivated by money -- instead, the use of ransomware is a new addition and a bolt-on to attacks focused on cyberespionage and destruction. 

Furthermore, in some attacks traced by SentinelOne when only a wiper was deployed, Agrius would pretend to have stolen and encrypted information to extort victims -- but this information had already been destroyed by the wiper. 

Agrius "intentionally masked their activity as a ransomware attack," the researchers say, while actually engaging in destructive attacks against Israeli targets. 

The researchers suspect the group is state-sponsored. 

During the first stages of an attack, Agrius will use virtual private network (VPN) software while accessing public-facing apps or services belonging to its intended victim before attempting an exploit, often through compromised accounts and software vulnerabilities. 

For example, a vulnerability in FortiOS, tracked as CVE-2018-13379, has been widely used in exploit attempts against targets in Israel. 

If successful, webshells are then deployed, public cybersecurity tools are used for credential harvesting and network movement, and malware payloads are then deployed. 

Agrius' toolkit includes Deadwood (also known as Detbosit), a destructive wiper malware strain. Deadwood was linked to attacks against Saudi Arabia during 2019, thought to be the work of APT33. 

Both APT33 and APT34 have been connected to the use of wipers including Deadwood, Shamoon, and ZeroCleare. 

During attacks, Agrius also drop a custom .NET backdoor called IPsec Helper for persistence and to create a connection with a command-and-control (C2) server. In addition, the group will drop a novel .NET wiper dubbed Apostle.

IPsec Helper and Apostle appear to be the work of the same developer. 

In a recent attack against a state-owned facility in the United Arab Emirates, Apostle appears to have been improved and modified to contain functional ransomware components. However, the team believes it is the destructive elements of ransomware -- such as the ability to encrypt files -- rather than the financial lure that Agrius is focusing on during development. 

"We believe the implementation of the encryption functionality is there to mask its actual intention -- destroying victim data," the researchers say. "This thesis is supported by an early version of Apostle that the attacker's internally named 'wiper-action'. This early version was deployed in an attempt to wipe data, but failed to do so possibly due to a logic flaw in the malware. The flawed execution led to the deployment of the Deadwood wiper. This, of course, did not prevent the attackers from asking for a ransom."

SentinelOne says that no "solid" connections to other, established threat groups have been made, but due to Agrius' interests in Iranian issues, the deployment of web shells with ties to Iranian-built variants, and the use of wipers in the first place -- an attack technique linked to Iranian APTs as far back as 2002 -- indicate the group is likely to be of Iranian origin. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0