ESET researchers discovered a new wiper and its execution tool, both attributed to the Iran-aligned Agrius APT group. The malware operators conducted a supply-chain attack abusing an Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals.
The abused Israeli software suite is used in the diamond industry, and in February 2022, Agrius began targeting an Israeli HR firm, a diamond wholesaler, and an IT consulting firm. The group is known for its destructive activities. Victims were observed in South Africa and Hong Kong as well.
“The campaign lasted less than three hours, and within that timeframe, ESET customers were already protected with detections identifying Fantasy as a wiper and blocking its execution. We observed the software developer pushing out clean updates within a matter of hours of the attack,” says Adam Burgher, ESET Senior Threat Intelligence Analyst. ESET contacted the software developer to notify them about a potential compromise, but the inquiries went unanswered.
“On February 20, 2022, at an organization in the diamond industry in South Africa, Agrius deployed credential harvesting tools, probably in preparation for this campaign. Then, on March 12, 2022, Agrius launched the wiping attack by deploying Fantasy and Sandals, first to the victim in South Africa, then to victims in Israel, and lastly to a victim in Hong Kong,” elaborates Burgher.
Fantasy wiper either wipes all files on disk or wipes all files with extensions on a list of 682 extensions, including filename extensions for Microsoft 365 applications such as Microsoft Word, Microsoft PowerPoint, and Microsoft Excel, and for common video, audio, and image file formats. Even though the malware takes steps to make recovery and forensic analysis more difficult, it is likely that recovery of the Windows operating system drive is possible. Victims were observed to be back up and running within a matter of hours.
Agrius is a newer Iran-aligned group targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper, Apostle, disguised as ransomware, but later modified Apostle into fully fledged ransomware. Agrius exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally and then deploying its malicious payloads.