An Iran-dependent sophisticated persistent menace (APT) group regarded as Agrius has conducted provide chain-targeted attacks from the diamond industry (and other folks) across three continents.
The statements appear from security scientists at welivesecurity by ESET, who posted an advisory about Agrius on Wednesday.
In the technological produce-up, ESET senior risk intelligence analyst Adam Burgher stated the group analyzed a offer chain attack specific at an Israeli software package developer to deploy Fantasy, Agrius’s new wiper.
“The Fantasy wiper is built on the foundations of the previously claimed Apostle wiper but does not endeavor to masquerade as ransomware, as Apostle initially did,” Burgher described.
“Instead, it goes ideal to function wiping details. Victims had been noticed in South Africa – in which reconnaissance commenced a number of weeks in advance of Fantasy was deployed – Israel and Hong Kong.”
Burgher extra that victims in Israel bundled an IT aid products and services firm, a diamond seller and an HR consulting organization. South African victims, on the other hand, were from a one business in the diamond field, and the Hong Kong target was a jeweler.
In terms of practices, the ESET researchers described Agrius normally exploits identified vulnerabilities in internet-struggling with programs to install web shells. The group then conducts inside reconnaissance just before going laterally and deploying its destructive payloads.
“Since its discovery in 2021, Agrius has been solely centered on destructive functions,” Burgher wrote.
Simply because of this, the security researcher mentioned Agrius operators perhaps executed a provide-chain attack by focusing on the Israeli application company’s software package updating mechanisms to deploy Fantasy to victims in Israel, Hong Kong and South Africa.
“Fantasy is identical in quite a few respects to the previous Agrius wiper, Apostle, that initially masqueraded as ransomware before becoming rewritten to be true ransomware,” Burgher extra.
“[It] helps make no energy to disguise alone as ransomware. Agrius operators utilised a new software, Sandals, to connect remotely to programs and execute Fantasy.”
A listing of indicators of compromise (IoCs) for Agrius is accessible in the ESET advisory. Its publication follows the discovery of other state-backed Iranian menace actors who remained undetected within an Albanian govt network for 14 months just before deploying damaging malware.
Some sections of this posting are sourced from: