Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

An Iran-linked advanced persistent threat (APT) actor named Agrius is using a new wiper in attacks targeting entities in South Africa, Israel and Hong Kong, cybersecurity firm ESET reports.

An Iran-linked advanced persistent threat (APT) actor named Agrius is using a new wiper in attacks targeting entities in South Africa, Israel and Hong Kong, cybersecurity firm ESET reports.

Mainly focused on victims in Israel and the United Arab Emirates, Agrius is a threat actor active since at least 2020, exploiting known vulnerabilities for initial access.

The adversary was previously seen using the Apostle wiper disguised as ransomware, and later updating the malware into a fully-fledged ransomware. Dubbed Fantasy, the newly identified wiper is built based on Apostle, but does not attempt to masquerade as ransomware.

As part of the recently observed attacks, Agrius targeted an Israeli software developer that provides a software suite to organizations in the diamond industry. The supply chain attack allowed the threat actor to infect the developer’s customers with the new Fantasy wiper.

Fantasy was first used against a diamond industry firm in South Africa in March 2022, roughly three weeks after the organization was infected with credential-harvesting tools, likely in preparation for the wiping attack.

After performing reconnaissance and lateral movement, Agrius deployed a Fantasy execution tool dubbed Sandals, and launched the wiper. Written in C# and .NET, Fantasy and Sandals were then both used in attacks against victims in Israel and Hong Kong.

ESET identified five Fantasy victims, including a diamond wholesaler, an HR consulting firm, and an IT support services provider in Israel, the South African organization from the diamond industry, and a jeweler in Hong Kong.

All victims were customers of the software developer, the Fantasy wiper was named similarly with the legitimate software, and the wiper was executed on all victim systems from the Temp directory, within a 2.5 hours timeframe. All victims likely already used PsExec, which Agrius employed to blend in.

Advertisement. Scroll to continue reading.

The attack lasted less than three hours, with the software developer pushing out clean updates only hours later. ESET says that it tried to contact the software developer about the potential compromise, but it received no response.

Other tools deployed during the attack include MiniDump (for credential harvesting from LSASS dumps), SecretsDump (hashes dumper), and Host2IP (hostname resolver).

Sensitive information such as usernames, passwords, and hostnames harvested using these tools were then used by Sandals for lateral movement and for the wiper’s execution.

“Sandals does not write the Fantasy wiper to remote systems. We believe that the Fantasy wiper is deployed via a supply-chain attack using the software developer’s software update mechanism,” ESET notes.

Fantasy’s wiping routine involves replacing the contents of targeted files and then deleting these files. The wiper also clears all Windows event logs, attempts to delete all files on the system drive, to clear file system cache memory, and to overwrite the system’s Master Boot Record, and deletes itself.

Most of Fantasy’s code base is directly copied from Apostle, with many of its functions only slightly modified from Apostle, and with many execution flow similarities also observed, indicating that Agrius is behind this malware as well, ESET notes.

Related: New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Related: Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware

Related: Iran Arrests News Agency Deputy After Reported Cyberattack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.