Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Over the past year, an Iran-linked threat actor named Agrius has been observed launching destructive attacks on Israeli targets, under the disguise of ransomware attacks, according to endpoint security company SentinelOne.

Over the past year, an Iran-linked threat actor named Agrius has been observed launching destructive attacks on Israeli targets, under the disguise of ransomware attacks, according to endpoint security company SentinelOne.

Likely state-sponsored, the threat group initially engaged in cyberespionage attacks, but then attempted to extort victims, claiming to have exfiltrated and encrypted data. The recovery of the impacted files, however, was not possible, due to the destructive nature of the attack.

Dubbed Apostle, the wiper used in these attacks was later updated with encryption capabilities, becoming a fully-functional piece of ransomware.

“The similarity to its wiper version, as well as the nature of the target in the context of regional disputes, leads us to believe that the operators behind it are utilizing ransomware for its disruptive capabilities,” SentinelOne says.

Vulnerabilities in Internet-facing applications are leveraged for intrusion, including CVE-2018-13379, a high-severity path traversal vulnerability in the FortiOS SSL VPN web portal, and various security bugs in other web-based applications.

Agrius, the researchers say, uses VPN services to connect to victims’ environments, and employs webshells (mainly variations of ASPXSpy) to tunnel RDP traffic and exploit compromised accounts for lateral movement.

The attackers also employ publicly available tools to harvest credentials and expand their foothold into the compromised environment. They also deploy their own .NET backdoor dubbed IPsec Helper onto targets of interest, to steal data and deploy more payloads when necessary.

In addition to Apostle, the threat group was observed using a wiper called DEADWOOD, which was previously used in an attack against a target in Saudi Arabia in 2019. Most of the adversary’s targets, however, are from Israel, and are likely chosen opportunistically, SentinelOne researchers believe.

Advertisement. Scroll to continue reading.

Apostle shares code similarities with IPsec Helper, likely because they are both developed in-house. An initial version of the malware contained only wiping capabilities, but failed to perform the action as expected, which led to the deployment of the DEADWOOD wiper.

This year, the threat actor came up with a second variant of Apostle, which features ransomware capabilities, but employs the old wiping method for deleting the original files after encryption.

During their investigation, SentinelOne researchers did not find links between Agrius’ techniques, tools, and infrastructure and known threat actors, but did identify evidence suggesting the adversary operates out of Iran.

“Agrius is a new threat group that we assess with medium confidence to be of Iranian origin, engaged in both espionage and disruptive activity. The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organizations in the Middle East,” SentinelOne notes.

The researchers also point out that the group might be part of a larger, coordinated Iranian strategy that also includes the recently disclosed Pay2Key attacks. However, the destructive nature of Agrius’ attacks, which continued into May 2021, suggests that the group is not financially motivated.

Related: Iran Used Fake Instagram Accounts to Try to Nab Israelis: Spy Agencies

Related: Iran Blames Israel for Sabotage at Natanz Nuclear Site

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.