Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

An Iran-linked advanced persistent threat (APT) actor named Agrius is using a new wiper in attacks targeting entities in South Africa, Israel and Hong Kong, cybersecurity firm ESET reports.

An Iran-linked advanced persistent threat (APT) actor named Agrius is using a new wiper in attacks targeting entities in South Africa, Israel and Hong Kong, cybersecurity firm ESET reports.

Mainly focused on victims in Israel and the United Arab Emirates, Agrius is a threat actor active since at least 2020, exploiting known vulnerabilities for initial access.

The adversary was previously seen using the Apostle wiper disguised as ransomware, and later updating the malware into a fully-fledged ransomware. Dubbed Fantasy, the newly identified wiper is built based on Apostle, but does not attempt to masquerade as ransomware.

As part of the recently observed attacks, Agrius targeted an Israeli software developer that provides a software suite to organizations in the diamond industry. The supply chain attack allowed the threat actor to infect the developer’s customers with the new Fantasy wiper.

Fantasy was first used against a diamond industry firm in South Africa in March 2022, roughly three weeks after the organization was infected with credential-harvesting tools, likely in preparation for the wiping attack.

After performing reconnaissance and lateral movement, Agrius deployed a Fantasy execution tool dubbed Sandals, and launched the wiper. Written in C# and .NET, Fantasy and Sandals were then both used in attacks against victims in Israel and Hong Kong.

ESET identified five Fantasy victims, including a diamond wholesaler, an HR consulting firm, and an IT support services provider in Israel, the South African organization from the diamond industry, and a jeweler in Hong Kong.

All victims were customers of the software developer, the Fantasy wiper was named similarly with the legitimate software, and the wiper was executed on all victim systems from the Temp directory, within a 2.5 hours timeframe. All victims likely already used PsExec, which Agrius employed to blend in.

The attack lasted less than three hours, with the software developer pushing out clean updates only hours later. ESET says that it tried to contact the software developer about the potential compromise, but it received no response.

Other tools deployed during the attack include MiniDump (for credential harvesting from LSASS dumps), SecretsDump (hashes dumper), and Host2IP (hostname resolver).

Sensitive information such as usernames, passwords, and hostnames harvested using these tools were then used by Sandals for lateral movement and for the wiper’s execution.

“Sandals does not write the Fantasy wiper to remote systems. We believe that the Fantasy wiper is deployed via a supply-chain attack using the software developer’s software update mechanism,” ESET notes.

Fantasy’s wiping routine involves replacing the contents of targeted files and then deleting these files. The wiper also clears all Windows event logs, attempts to delete all files on the system drive, to clear file system cache memory, and to overwrite the system’s Master Boot Record, and deletes itself.

Most of Fantasy’s code base is directly copied from Apostle, with many of its functions only slightly modified from Apostle, and with many execution flow similarities also observed, indicating that Agrius is behind this malware as well, ESET notes.

Related: New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Related: Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware

Related: Iran Arrests News Agency Deputy After Reported Cyberattack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.