An Iranian precocious persistent menace (APT) histrion known arsenic Agrius has been attributed arsenic down a acceptable of information wiper attacks aimed astatine diamond industries successful South Africa, Israel, and Hong Kong.
The wiper, codenamed Fantasy by ESET, is believed to person been delivered via a proviso concatenation onslaught targeting an Israeli bundle suite developer arsenic portion of a run that began successful February 2022.
Victims see HR firms, IT consulting companies, and a diamond wholesaler successful Israel; a South African entity moving successful the diamond industry; and a jeweller based successful Hong Kong.
"The Fantasy wiper is built connected the foundations of the antecedently reported Apostle wiper but does not effort to masquerade arsenic ransomware, arsenic Apostle primitively did, ESET researcher Adam Burgher disclosed successful a Thursday analysis. "Instead, it goes close to enactment wiping data."
Apostle was first documented by SentinelOne successful May 2021 arsenic a wiper-turned-ransomware that was deployed successful destructive attacks against Israeli targets.
Agrius, the Iran-aligned radical down the intrusions, has been progressive since astatine slightest December 2020 and leverages known information flaws successful internet-facing applications to driblet web shells that are, successful turn, utilized to facilitate reconnaissance, lateral movement, and the transportation of final-stage payloads.
The Slovak cybersecurity institution said the archetypal onslaught was detected connected February 20, 2022, aimed astatine a South African organization, erstwhile the histrion deployed credential harvesting tools.
Agrius subsequently initiated the wiping onslaught via Fantasy connected March 12, 2022, earlier striking different companies successful Israel and Hong Kong connected the aforesaid date.
Fantasy is executed by means of different instrumentality called Sandals, a 32-bit Windows executable written successful C#/.NET. It's said to beryllium deployed connected the compromised big done a supply-chain onslaught utilizing the Israeli developer's bundle update mechanism.
This is substantiated by ESET's appraisal that each victims are customers of the affected bundle developer and that the wiper binary follows a naming normal ("fantasy45.exe" and "fantasy35.exe") akin to that of its legitimate counterpart.
The wiper, for its part, works by recursively retrieving the directory listing for each drive, overwriting each record successful those directories with garbage data, assigning a aboriginal timestamp to the files, and past deleting them.
"This is presumably done to marque betterment and forensic investigation much difficult," Burgher explained.
In a further effort to erase each traces of the activity, Fantasy clears each Windows lawsuit logs, recursively purges each files successful the strategy drive, overwrites the system's Master Boot Record, self-deletes itself, and yet reboots the machine.
The campaign, which lasted nary much than 3 hours, was yet unsuccessful, with ESET stating that it was capable to artifact the wiper's execution. The developer of the bundle has since pushed retired cleanable updates to plug the attacks.
The sanction of the Israeli institution that fell unfortunate to the proviso concatenation onslaught was not disclosed by ESET, but grounds points to it being Rubinstein Software, which markets an endeavor assets readying (ERP) solution called Fantasy that's utilized for jewelry banal management.
"Since its find successful 2021, Agrius has been solely focused connected destructive operations," Burgher concluded.
"To that end, Agrius operators astir apt executed a supply-chain onslaught by targeting an Israeli bundle company's bundle updating mechanisms to deploy Fantasy, its newest wiper, to victims successful Israel, Hong Kong, and South Africa."
Agrius is acold from the archetypal menace radical linked to Iran that has been spotted deploying destructive wiper malware.
The APT33 hacking radical (aka Elfin, Holmium, oregon Refined Kitten), which is suspected of operating astatine the behest of the Iranian government, is said to person been down aggregate attacks that utilized the Shamoon wiper against targets located successful the Middle East.
Data-wiping malware codenamed ZeroCleare has besides been employed by Iran-backed menace actors tracked arsenic APT34 (aka Oilrig oregon Helix Kitten) successful attacks directed against organizations from the vigor and concern assemblage successful the Middle East.