Entities in Israel, Hong Kong, and South Africa are currently targeted by an ongoing attack campaign launched by the Iran-based hacktivists Agrius APT. In this supply-chain attack campaign, the threat group is seen using a new data wiper dubbed ‘Fantasy.’
While the coordinated supply-chain campaign commenced in February, researchers have only observed its full-scale strike in March. Some of the most prominent attacks from Agrius APT included breaching an IT firm, two jeweller companies, and an HR consulting firm.
Agrius APT hid the Fantasy data wiper inside an Israeli vendor’s software suite, commonly used by diamond manufacturing firms.
One of the first Agrius APT operations was recorded last February 20 when the group attacked a South African diamond firm. Two info-stealers have been dropped during the operation, including the MiniDump and SecretsDump payloads. The stolen credentials are then utilised to spread the info-stealers further throughout the victims’ breach server to collect more data and gain access to other networks.
Subsequently, on March 12, the threat group deployed another payload named ‘Sandals’ to spread the Fantasy data wiper on targeted machines. This new payload is a Windows executable that links to connecting networks and writes a batch file through PsExec, finally launching the Fantast data wiper.
These malicious tools are also deployed against companies in Israel and Hong Kong.
Based on the data wiper malware analysis, Fantasy is a 32-bit Windows executable that, once executed on a machine, will acquire the list of all directories and drives, with an exception for the Windows folders. Then, the malware will overwrite each file folder’s content with random data, set midnight timestamps, and then deletes it, preventing recovery attempts.
Before entering a two-minute sleep, the malware will delete registry keys in HKCR, WinEventLogs, and Windows SystemDrive folder. The final process will involve Fantasy overwriting the master boot record, deleting itself, and rebooting the system.
Nonetheless, the hope of recovery is still left for victims since they can get back up and running within a few hours after the destructive attacks. Analysts said that %SYSTEMDRIVE% recovery is possible. Furthermore, the attacks in this campaign could not be ransomware attempts, as Fantasy does not have data encryption capabilities and does not write ransom notes.
