An Iran-linked advanced persistent threat (APT) actor named Agrius is using a new wiper in attacks targeting entities in South Africa, Israel and Hong Kong, cybersecurity firm ESET reports.
Mainly focused on victims in Israel and the United Arab Emirates, Agrius is a threat actor active since at least 2020, exploiting known vulnerabilities for initial access.
The adversary was previously seen using the Apostle wiper disguised as ransomware, and later updating the malware into a fully-fledged ransomware. Dubbed Fantasy, the newly identified wiper is built based on Apostle, but does not attempt to masquerade as ransomware.
As part of the recently observed attacks, Agrius targeted an Israeli software developer that provides a software suite to organizations in the diamond industry. The supply chain attack allowed the threat actor to infect the developer’s customers with the new Fantasy wiper.
Fantasy was first used against a diamond industry firm in South Africa in March 2022, roughly three weeks after the organization was infected with credential-harvesting tools, likely in preparation for the wiping attack.
After performing reconnaissance and lateral movement, Agrius deployed a Fantasy execution tool dubbed Sandals, and launched the wiper. Written in C# and .NET, Fantasy and Sandals were then both used in attacks against victims in Israel and Hong Kong.
ESET identified five Fantasy victims, including a diamond wholesaler, an HR consulting firm, and an IT support services provider in Israel, the South African organization from the diamond industry, and a jeweler in Hong Kong.
All victims were customers of the software developer, the Fantasy wiper was named similarly with the legitimate software, and the wiper was executed on all victim systems from the Temp directory, within a 2.5 hours timeframe. All victims likely already used PsExec, which Agrius employed to blend in.
The attack lasted less than three hours, with the software developer pushing out clean updates only hours later. ESET says that it tried to contact the software developer about the potential compromise, but it received no response.
Other tools deployed during the attack include MiniDump (for credential harvesting from LSASS dumps), SecretsDump (hashes dumper), and Host2IP (hostname resolver).
Sensitive information such as usernames, passwords, and hostnames harvested using these tools were then used by Sandals for lateral movement and for the wiper’s execution.
“Sandals does not write the Fantasy wiper to remote systems. We believe that the Fantasy wiper is deployed via a supply-chain attack using the software developer’s software update mechanism,” ESET notes.
Fantasy’s wiping routine involves replacing the contents of targeted files and then deleting these files. The wiper also clears all Windows event logs, attempts to delete all files on the system drive, to clear file system cache memory, and to overwrite the system’s Master Boot Record, and deletes itself.
Most of Fantasy’s code base is directly copied from Apostle, with many of its functions only slightly modified from Apostle, and with many execution flow similarities also observed, indicating that Agrius is behind this malware as well, ESET notes.