Agrius APT, an Iranian-based threat group, has deployed its new wiping tools on Israeli educational and technology institutions.
This APT, which has been active since 2020, has primarily directed its espionage and destructive attacks toward targets in Israel and the United Arab Emirates. Moreover, recent research observed that it targeted a South African diamond industry firm in the past year.
From January to October 2023, Agrius executed an offensive campaign aimed at stealing personally identifiable information (PII) and intellectual property from Israeli education and technology organisations while employing wiping tools to hide its tracks.
During one such campaign, Agrius leveraged various wiping tools, such as MultiLayer, PartialWasher, and BFG Agonizer, in addition to Sqlextractor, a customised tool designed for exfiltrating data from databases.
The threat group exploited several vulnerabilities in web-facing servers to gain initial access. Next, they deployed multiple web shells to establish persistence within the targeted environment. Additionally, Agrius PoC exploits penetration testing tools and custom utilities to remain undetected and evade security measures.
Agrius APT took advantage of all available resources that would aid its campaigns.
Agrius APT employed publicly available tools for reconnaissance, credential theft, lateral movement, and data exfiltration, as well as SMB password spraying, brute force attacks, and SAM file dumping to extract credentials.
They have also employed the Sqlextractor to query SQL databases and extract various forms of data, such as ID numbers, passport scans, emails, and addresses.
Furthermore, these threat actors attempted to execute three different wiping tools during their attacks, all exhibiting similarities to previous Agrius wiping devices.
The first one is MultiLayer, written in .NET, which uses various components to generate and delete files, immediately removing files from network drives, corrupting and overwriting local files, and changing the paths of deleted files to prevent recovery.
Next is the PartialWasher, written in C++, which supports command-line arguments for individual wiping tasks and executes typical wiper functionality if the targets do not provide arguments.
The third wiping tool is BFG Agonizer, which resembles the open-source project CRYLINE-v5.0. Once the attackers execute this wiper, it attempts to bypass security measures using anti-hooking techniques.
Lastly, the researchers noted that the APT group tried to bypass endpoint detection by employing multiple techniques, adapting to new ones when blocked.
These campaigns are not new, but these incidents show that the attackers will still leverage old techniques if they show effectiveness in cybercriminal operations.
