Major diamond companies (and a few related ones) have been hit with a brand new data cleaning tool courtesy of Iran’s notorious Advanced Persistent Threat (APT) group.
Cybersecurity researchers from ESET’s welivesecurity recently discovered Agrius, a cybercriminal who initiated a supply chain attack on an Israeli software developer, and through it, a number of diamond companies on three continents.
In Research report (opens in a new tab)ESET said the Israeli company was the target of Agrius’ new data cleaning tool, called Fantasy. This wiper is based on Agrius’ previous tool, the Apostle, but with noticeable differences.
Building on the Apostle
“Fantasy wiper is built on the foundation of the previously reported Apostle wiper, but it doesn’t try to mimic ransomware like Apostle originally did,” the company said. “Instead, it goes straight to data cleaning. The victims were observed in South Africa – where reconnaissance began weeks before Fantasy was dispatched – in Israel and Hong Kong.”
Researchers suspect that Agrius targeted the Israeli company’s software update mechanisms, which allowed them to infect endpoints (opens in a new tab) belonging to its clients – a diamond retailer and HR consultancy in Israel, a diamond company in South Africa and a jeweler in Hong Kong.
The cybercriminal actor searched for known vulnerabilities in applications available on the Internet and used them to deploy web shells. This allowed them to maintain persistence on target networks, move laterally, and ultimately deliver a malicious payload.
“Since its discovery in 2021, Agrius has focused exclusively on destructive operations,” the researchers explain. “Fantasy is similar in many ways to the previous Agrius wiper, Apostle, which initially masqueraded as ransomware before being rewritten to be real ransomware.”
Fantasy, on the other hand, doesn’t try to disguise itself as ransomware. Agrius operators used a new tool, Sandals, to remotely connect to systems and perform Fantasy.”
By: Security Information Warehouse (opens in a new tab)