The Apostle Malware is a custom-built malware threat attributed to the recently established Agrius APT (Advanced Persistent Threat) group. The main purpose of Apostle is to cause as much disruption and damage to the breached systems as possible. The threat bears significant similarities with another malware tool deployed by the Agrius group - a backdoor named IPsec Helper. Both threatening tools are written in .NET, share functions, and execute tasks in a nearly identical manner.
The hackers labeled Apostle as a 'wiper action' and that was indeed the intended behavior of the threat. The malware was deployed against targets but failed to wipe the victim's data due to an internal logic flaw in its code. In later operations, however, the bug was not only fixed by Apostle; it was turned into a powerful ransomware threat, losing its wiper functionalities in the process.
The evolved version of Apostle was used in an attack against a nation-owned facility in the United Arab Emirates. Although the threat did leave a ransom note with the typical stipulations found in ransomware threats, the researchers believe that this is just a front. In all likelihood, the Agrius APT is not a financially motivated actor so the ransomware angle is there to mask their real intentions. Although no concrete links have been discovered so far, the hacker group appears to be affiliated with Iran and its main targets are Israeli entities.