Iranian hacking group targets Israel with wiper disguised as ransomware

An Iranian hacking group has been observed camouflaging destructive attacks against Israeli targets as ransomware attacks while maintaining access to victims’ networks for months in what looks like an extensive espionage campaign.

The threat actor, tracked as Agrius by SentinelLabs researchers, has targeted Israel starting with December 2020.

“Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activity as ransomware attacks,” said Amitai Ben Shushan Ehrlich, Threat Intelligence Researcher at SentinelOne.

From wiper to fully functional ransomware

At first, the group deployed a wiper malware known as DEADWOOD (or Detbosit) designed to destroy data on infected devices and previously used in attacks against Saudi Arabian targets in 2019.

Agrius has slowly transitioned into using a new wiper malware dubbed ‘Apostle,’ which, although broken in its first variants, has gradually replaced DEADWOOD and was upgraded into a fully-featured ransomware strain.

The attackers have used multiple attack vectors, including SQL injection, FortiOS CVE-2018-13379 exploits, and exploits targeting various 1-day web app vulnerabilities.

“We believe the implementation of the encryption functionality is there to mask its actual intention: destroying victim data,” the researcher added.

“This thesis is supported by an early version of Apostle that the attacker’s internally named ‘wiper-action.’ This early version was deployed in an attempt to wipe data but failed to do so possibly due to a logic flaw in the malware.

“The flawed execution led to the deployment of the DEADWOOD wiper. This, of course, did not prevent the attackers from asking for a ransom.”

The Iranian hackers have also developed their own custom .NET malware named ‘IPsec Helper’ designed to provide the threat actor with basic backdoor capabilities to help deliver additional malware on compromised hosts and exfiltrate data.

A complete list of all commands supported by the IPsec Helper backdoor is available in SentinelOne’s full report.

Read the complete article at: Bleeping Computer

Also Read: Hacker group with alleged ties to Iran, targeted 25 medical researchers in US, Israel

Latest news
Related news