Iran-aligned Agrius APT, which is known for its destructive operations, is using a new data wiper malware, named Fantasy, in its latest supply-chain attacks against organizations in Israel, Hong Kong, and South Africa.
Agrius’ attack targets
According to ESET researchers, in February, Agrius began targeting Israeli HR and IT consulting firms and users of an Israeli software suite, commonly used in the diamond industry.
The group was observed launching credential harvesting tools on an Israeli software developer network, probably in preparation to deploy Fantasy with the wiper execution tool Sandals.
The attackers waited for about a month to launch the data-wiping attacks.
Subsequently, they launched attacks against a South African organization working in the diamond industry, Israeli organizations, and a jeweler in Hong Kong.
Agrius’ arsenal and behavior
In addition to the above malware, Agrius deploys several tools such as MiniDump, SecretsDump, and Host2IP to target victim systems.
These tools collect usernames, passwords, and hostnames required for Sandals to successfully spread and execute Fantasy data wiper.
After destructing the data, the wiper deletes itself from the system and reboots the system. Experts suggest that recovery is possible with data recovery tools.
The operators use the PsExec tool to blend into the administrative activity on victims’ systems and for ease of batch file execution.
While most wipers disguise as ransomware, Fantasy neither falsely generate ransom notes nor pretends to encrypt the data; it clearly demonstrates its destructive nature.
Recent data wiping incidents
Recently, in the disguise of ransomware, CryWiper, a data-wiping malware, was discovered targeting Russia’s mayor's offices and courts.
Last month, Azov Ransomware was observed being circulated via pirated software, adware bundles, and key generators in its data-wiping operations.
In August, Fortinet researchers discovered that several wiper variants were targeting private, government, and military organizations in Ukraine and other countries.
Conclusion
Fantasy data wiper’s most of the code is based on Apostle wiper, Agrius’s previous wiper malware tool. The code-reusability and the development of a new execution tool indicate the group is preparing to launch more destructive operations against high-profile organizations henceforth. Organizations are recommended to keep a backup of essential data regularly to safeguard against the growing threat of cyberattacks.