Researchers on Tuesday disclosed a new espionage campaign that
resorts to destructive data-wiping attacks targeting Israeli
entities at least since December 2020 that camouflage the malicious
activity as ransomware extortions.
Cybersecurity firm SentinelOne attributed the attacks to a
nation-state actor affiliated with Iran it tracks under the moniker
“Agrius.”
“An analysis of what at first sight appeared to be a ransomware
attack revealed new variants of wipers that were deployed in a set
of destructive attacks against Israeli targets,” the researchers
said[1]. “The operators behind
the attacks intentionally masked their activity as ransomware
attacks, an uncommon behavior for financially motivated
groups.”
The group’s modus operandi involves deploying a custom .NET
malware called Apostle that has evolved to become fully functional
ransomware, supplanting its prior wiper capabilities, while some of
the attacks have been carried out using a second wiper named
DEADWOOD (aka Detbosit) after a logic flaw in early versions of
Apostle prevented data from being erased.
In addition, the Agrius actors drop a .NET implant called IPsec
Helper that can be used to exfiltrate data or deploy additional
malware. What’s more, the threat actor’s tactics have also
witnessed a shift from espionage to demanding ransoms from its
victims to recover access to encrypted data, only to have them
actually destroyed in a wiping attack.
Besides using ProtonVPN for anonymization, the Agrius attack
cycle leverages 1-day vulnerabilities in web-based applications,
including CVE-2018-13379[2], to gain an initial
foothold and subsequently deliver ASPXSpy web shells to maintain
remote access to compromised systems and run arbitrary
commands.
If anything, the research adds to evidence that state-sponsored
actors with ties to the Iranian government are increasingly looking
at ransomware operations as a subterfuge technique to mimic other
financially motivated cybercriminal ransomware groups.
Recently leaked documents by Lab Dookhtegan revealed an
initiative called “Project Signal[3]” that linked Iran’s
Islamic Revolutionary Guard Corps to a ransomware operation through
a contracting company.
“While being disruptive and effective, ransomware activities
provide deniability, allowing states to send a message without
taking direct blame,” the researchers said. “Similar strategies
have been used with devastating effect by other nation-state sponsored
actors[4].”
References
- ^
said
(assets.sentinelone.com) - ^
CVE-2018-13379
(nvd.nist.gov) - ^
Project
Signal (thehackernews.com) - ^
other
nation-state sponsored actors
(thehackernews.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/0r7p2tofaEA/data-wiper-malware-disguised-as.html