Agrius APT

Agrius APT Description

The activities of a new APT (Advanced Persistent Threat) hacker group have been brought to light in a recent report. The infosec researchers gave the threat actors the name Agrius. According to the findings, this APT group operates in the Middle East and attacks Israeli targets predominantly. 

Agruis attempted to mask its true intentions by structuring the attacks to appear as financially motivated ransomware breaches. Underneath, however, were hiding the real payloads deployed to the victims - several wiper malware threats designed to cause massive disruptions to the compromised entities. One of the novel wiper strains named 'Apostle' was later developed into full-fledged ransomware. However, again, researchers believe, that the threat was still deployed for its destructive capabilities and not for financial gains. 

Agrius APT's tactics, techniques, and procedures (TTPs) are distinct enough to set them apart from all of the already established ATP groups on the scene. And while there are no concrete links, circumstantial evidence uncovered by SentinelLabs points towards Agrius being affiliated with Iran. 

Malware Tools Deployed by the Agrius APT

To maintain anonymity while engaging with any public-facing applications deployed on the targeted organizations, Agriuls relies on VPN services such as ProtonVPN. Once inside the victim's network, the threat actors deploy Web shell variations of ASPXSpy. By this point, Agrius is still relying on publicly available tools to harvest account credentials and move inside the victim's network laterally. 

If the hackers deem the target worthy, they will escalate the attack and move on to deploy their own malware tools. First, a backdoor named 'IPsec Helper' written in .NET will be initiated. The backdoor will attempt to gain persistence by registering itself as a service. This threatening tool is used for data exfiltration and the delivery of next-stage payloads mainly. 

The true goal of the operations is the deployment of wiper threats. The first is the aforementioned 'Apostle' wiper. The threat is based on the 'IPsec Helper' as the two share functions, use similar methods to execute tasks and are written in .NET. Apostle was later modified by removing all of the wiper functionalities and replacing them with ransomware capabilities, most likely to cause similar levels of disruption on the breached systems, while better hiding Agrius' intentions. The ransomware version of Apostle was used in an attack against a nation-owned facility in the United Arab Emirates. The other wiper deployed by the APT is named DEADWOOD. This malware threat was detected as part of wiping attacks in the Middle East previously.