Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

An Iran-linked advanced persistent threat (APT) actor named Agrius is using a new wiper in attacks targeting entities in South Africa, Israel and Hong Kong, cybersecurity firm ESET reports.

An Iran-linked advanced persistent threat (APT) actor named Agrius is using a new wiper in attacks targeting entities in South Africa, Israel and Hong Kong, cybersecurity firm ESET reports.

Mainly focused on victims in Israel and the United Arab Emirates, Agrius is a threat actor active since at least 2020, exploiting known vulnerabilities for initial access.

The adversary was previously seen using the Apostle wiper disguised as ransomware, and later updating the malware into a fully-fledged ransomware. Dubbed Fantasy, the newly identified wiper is built based on Apostle, but does not attempt to masquerade as ransomware.

As part of the recently observed attacks, Agrius targeted an Israeli software developer that provides a software suite to organizations in the diamond industry. The supply chain attack allowed the threat actor to infect the developer’s customers with the new Fantasy wiper.

Fantasy was first used against a diamond industry firm in South Africa in March 2022, roughly three weeks after the organization was infected with credential-harvesting tools, likely in preparation for the wiping attack.

After performing reconnaissance and lateral movement, Agrius deployed a Fantasy execution tool dubbed Sandals, and launched the wiper. Written in C# and .NET, Fantasy and Sandals were then both used in attacks against victims in Israel and Hong Kong.

ESET identified five Fantasy victims, including a diamond wholesaler, an HR consulting firm, and an IT support services provider in Israel, the South African organization from the diamond industry, and a jeweler in Hong Kong.

All victims were customers of the software developer, the Fantasy wiper was named similarly with the legitimate software, and the wiper was executed on all victim systems from the Temp directory, within a 2.5 hours timeframe. All victims likely already used PsExec, which Agrius employed to blend in.

The attack lasted less than three hours, with the software developer pushing out clean updates only hours later. ESET says that it tried to contact the software developer about the potential compromise, but it received no response.

Other tools deployed during the attack include MiniDump (for credential harvesting from LSASS dumps), SecretsDump (hashes dumper), and Host2IP (hostname resolver).

Sensitive information such as usernames, passwords, and hostnames harvested using these tools were then used by Sandals for lateral movement and for the wiper’s execution.

“Sandals does not write the Fantasy wiper to remote systems. We believe that the Fantasy wiper is deployed via a supply-chain attack using the software developer’s software update mechanism,” ESET notes.

Fantasy’s wiping routine involves replacing the contents of targeted files and then deleting these files. The wiper also clears all Windows event logs, attempts to delete all files on the system drive, to clear file system cache memory, and to overwrite the system’s Master Boot Record, and deletes itself.

Most of Fantasy’s code base is directly copied from Apostle, with many of its functions only slightly modified from Apostle, and with many execution flow similarities also observed, indicating that Agrius is behind this malware as well, ESET notes.

Related: New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Related: Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware

Related: Iran Arrests News Agency Deputy After Reported Cyberattack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.