ESET Research Unveils New Wiper Attack Led by Iran Affiliate Agrius Group Targeting the Diamond Industry
Agrius carried out a so-called supply chain attack by hijacking an Israeli software suite used in the diamond industry.
Agrius is a relatively new hacker group, which is affiliated with Iran and which focuses solely on destruction operations.
The group deployed a (wiper) eraser that we named Fantasy. Most of its code comes from Apostle, Agrius' previous Wiper.
Along with Fantasy, Agrius has also rolled out a new Fantasy lateral movement and execution tool that we've named Sandals.
Among the victims are Israeli HR companies, IT consultancies and a diamond wholesaler, a South African company working in the diamond industry and a Hong Kong jeweler.
Researchers from ESET, Europe's leading publisher of security solutions, have discovered a new wiper and its execution tool, both attributed to the Iranian-affiliated hacker group Agrius. These malicious operators carried out a so-called hijacking supply chain attack on an Israeli publisher's software to deploy Fantasy, their new wiper, and Sandals, a new Fantasy lateral movement and execution tool. The hijacked software suite is of Israeli origin, it is used in the diamond industry. In February 2022, Agrius began by targeting an Israeli Human Resources company, a diamond wholesaler and an IT consulting firm. The group is known for its destructive activities. Casualties have also been seen in South Africa and Hong Kong.
“The campaign lasted less than three hours, and during that time, ESET customers were already protected with detections identifying Fantasy as an eraser and blocking its execution. We found that the developer of the software used for the attack released new updates within hours of the attack,” said Adam Burgher, Senior Threat Intelligence Analyst at ESET. We contacted the software developer to inform them of a potential security breach, but received no response in return.
“On February 20, 2022, Agrius deployed credential harvesting tools at a diamond industry company in South Africa, likely in preparation for this campaign. Then on March 12, 2022, Agrius launched its attack by deploying Fantasy and Sandals malware, first to the victim in South Africa, then to victims in Israel, and finally to a victim in Hong Kong,” continues Mr. Burgher.
Fantasy Eraser either deletes all files on disk or all files whose extensions are on a list of 682, including files from Microsoft 365 applications such as Microsoft Word, Microsoft PowerPoint, and Microsoft Excel, and formats common video, audio and image files. Even if the malware takes steps to prevent file recovery and limit the success of a forensic investigation from being successful, it is likely that Windows OS disk recovery is possible. The victims were operational again within hours.
Agrius is a relatively new group, affiliated with Iran, which has been targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed Apostle, an eraser disguised as ransomware, but later modified it to become a full-fledged ransomware. Agrius exploits known vulnerabilities in internet applications to install webshells, then performs internal reconnaissance before performing lateral moves and deploying its malware.
Since its discovery in 2021, Agrius has focused solely on destruction operations. Fantasy is similar in many ways to the previous Apostle eraser, except that it makes no effort to disguise itself as ransomware. There are only a few minor changes between most of Apostle's original features and the Fantasy implementation.
For more technical information on the Agrius Fantasy wiper, see the article “Fantasy – a new Agrius wiper deployed through a supply-chain attack” on WeLiveSecurity.