For some hackers, the destruction of digital data is more important than theft or blackmail. APT group Agrius has carried out a series of cyberattacks using the Fantasy wiper malware, according to ESET experts.
For diamond wholesalers, theft, fraud and ransom demands are part of their daily business threats. However, the fact that cybercriminals are only out to destroy digital information and do not want to make any financial profit surprised the affected gem dealers in Israel as well as the security experts from ESET. They were able to prove that the APT group Agrius had carried out a series of cyber attacks using the "Fantasy" malware, which also affected an Israeli human resources company and an IT company. Victims were also observed in South Africa and Hong Kong.
Wiper is out for data shredding
The attackers, who are close to Iran, used Fantasy, a so-called wiper, which acts purely destructively and is not out to extort money like ransomware. But in order to be able to get into the victims' networks at all, Agrius carried out a supply chain attack. An Israeli software suite that is very common in the diamond industry was abused.
Back in February 2022, Agrius used credential gathering tools with a South African diamond industry organization. Experts see this as preparation for the later campaign. Agrius launched the actual extinguishing attack in March 2022 by using Fantasy and its distribution tool "Sandals" first on the victim in South Africa, then on others in Israel and finally in Hong Kong.
Fantasy Wiper wiped either all files on the hard drive or all files with one of 682 predefined extensions, including filename extensions for Microsoft 365 applications (such as Microsoft Word, Microsoft PowerPoint, and Microsoft Excel) as well as for common video, audio, and image file formats. Even though the malware took measures to make recovery and forensic analysis more difficult, it is quite likely that Windows operating system drive recovery was possible. Victims were observed to be back up and running within hours.
Iran-affiliated APT Group Agrius focuses on Israel
Agrius is a newer Iran-affiliated group that has been attacking targets in Israel and the United Arab Emirates since 2020. The group originally deployed the wiper “Apostle” disguised as alleged ransomware. In fact, it later evolved into full-fledged ransomware. The APT group exploits known vulnerabilities in web applications to install web shells. She then conducts internal reconnaissance before the wiper spreads and uses its malevolent abilities.
Since its discovery in 2021, Agrius has focused solely on destructive operations. Fantasy is similar to the previous Wiper Apostle in many ways. There are only a few small changes between many of the original features in Apostle and Fantasy's implementation.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.