The Agrius cybercriminal group associated with Iran has slightly changed its tactics and, instead of a 100% destructive wiper, began to use software with the functions of both a viper and a ransomware program.
Agrius was first spotted in 2020 when the group attacked targets in Israel, SentinelOne said in a new report. Hackers use a combination of in-house tools and off-the-shelf tools to deploy destructive malware (viper) or viper ransomware.
However, unlike the cyber ransomware groups Maze and Conti, Agrius does not pursue purely financial gain. Rather, the use of ransomware is a new addition to attacks aimed at nothing more than cyber espionage and destruction. In addition, in some attacks that SentinelOne monitored, which used only a viper, hackers only pretended to steal and encrypt information in order to obtain a ransom for decryption, but in fact, the information had already been destroyed.
According to the researcher, the attackers deliberately disguised their attacks as ransomware attacks, although in reality, their goal was not extortion, but data destruction.
At the first stage of the attack, hackers use VPNs, gain access to victim-owned applications and services, and try to exploit vulnerabilities in them (for example, attacks on targets in Israel most often exploited the CVE-2018-13379 vulnerability in FortiOS). If successful, attackers install web shells and use legitimate tools to navigate the network and collect credentials, and then deploy malware.
One of Agrius’ tools uses Deadwood (Detbosit), a destructive wiper created by the cybercriminal group APT33 and used in attacks on targets in Saudi Arabia in 2019.
During the attacks, Agrius also installs a .NET backdoor called IPsec Helper on the attacked network to gain persistence and connect to the C&C server. In addition, hackers are deploying a new .NET wiper called Apostle.
In a recent attack on a government facility in the United Arab Emirates, the group used an improved and modified version of Apostle. Functional components of ransomware were added to the program, but, according to the researchers, its main purpose is to destroy data, and not encrypted in order to obtain financial gain.
Catch up on more articles here
Follow us on Twitter here