Hackers raid diamond wholesalers and steal nothing

Eset_News

Share post

For some hackers, the destruction of digital data is more important than theft or blackmail. APT group Agrius has carried out a series of cyberattacks using the Fantasy wiper malware, according to ESET experts.

For diamond wholesalers, theft, fraud and ransom demands are part of their daily business threats. However, the fact that cybercriminals are only out to destroy digital information and do not want to make any financial profit surprised the affected gem dealers in Israel as well as the security experts from ESET. They were able to prove that the APT group Agrius had carried out a series of cyber attacks using the "Fantasy" malware, which also affected an Israeli human resources company and an IT company. Victims were also observed in South Africa and Hong Kong.

Wiper is out for data shredding

The attackers, who are close to Iran, used Fantasy, a so-called wiper, which acts purely destructively and is not out to extort money like ransomware. But in order to be able to get into the victims' networks at all, Agrius carried out a supply chain attack. An Israeli software suite that is very common in the diamond industry was abused.

Back in February 2022, Agrius used credential gathering tools with a South African diamond industry organization. Experts see this as preparation for the later campaign. Agrius launched the actual extinguishing attack in March 2022 by using Fantasy and its distribution tool "Sandals" first on the victim in South Africa, then on others in Israel and finally in Hong Kong.

Fantasy Wiper wiped either all files on the hard drive or all files with one of 682 predefined extensions, including filename extensions for Microsoft 365 applications (such as Microsoft Word, Microsoft PowerPoint, and Microsoft Excel) as well as for common video, audio, and image file formats. Even though the malware took measures to make recovery and forensic analysis more difficult, it is quite likely that Windows operating system drive recovery was possible. Victims were observed to be back up and running within hours.

Iran-affiliated APT Group Agrius focuses on Israel

Agrius is a newer Iran-affiliated group that has been attacking targets in Israel and the United Arab Emirates since 2020. The group originally deployed the wiper “Apostle” disguised as alleged ransomware. In fact, it later evolved into full-fledged ransomware. The APT group exploits known vulnerabilities in web applications to install web shells. She then conducts internal reconnaissance before the wiper spreads and uses its malevolent abilities.

Since its discovery in 2021, Agrius has focused solely on destructive operations. Fantasy is similar to the previous Wiper Apostle in many ways. There are only a few small changes between many of the original features in Apostle and Fantasy's implementation.

More at ESET.com

 


About ESET

ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.


 

Matching articles on the topic

Companies spend 10 billion euros on cybersecurity

Germany is arming itself against cyber attacks and is investing more than ever in IT and cyber security. In the current year the ➡ Read more

Professional cybersecurity for SMEs

Managed detection and response (MDR) for SMEs 24/7, 365 days a year. The IT security manufacturer ESET has expanded its offering ➡ Read more

Qakbot remains dangerous

Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first appeared in mid-December and they ➡ Read more

I-Soon: China's state-run foreign hackers exposed 

Internally, it is certainly the biggest betrayal of China: an employee of the I-Soon company revealed data and services ➡ Read more

VexTrio: most malicious DNS threat actor identified

A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity. ➡ Read more

A comeback from Lockbit is likely

It is fundamentally important for Lockbit to be visible again quickly. Victims are presumably less willing to pay as long as there are rumors ➡ Read more

LockBit is alive

A few days ago, international law enforcement authorities scored a decisive blow against Lockbit. According to a comment from Chester Wisniewski, Director, Global ➡ Read more

Cyber ​​danger Raspberry Robin

A leading provider of an AI-powered, cloud-delivered cybersecurity platform warns about Raspberry Robin. The malware was first released in the year ➡ Read more