Large companies in the diamond industry (and some adjacent companies) have been affected by a new draft of data, courtesy of a well-known Iran-based advanced persistent threat (APT) group.
Cybersecurity researchers from ESET's welivesecurity arm recently uncovered Agrius, a threat actor that launched a supply chain attack against an Israeli software developer and, through it, several diamond companies on three continents.
In an investigative report (opens in a new tab), ESET said the Israeli company was attacked by Agrios' new data cleaner, called Fantasy. This wiper is based on Agrios' previous tool, the Apostle, but with notable differences.
Building on the Apostle
"Fantasy Wiper is built on the previously reported Apollo Wiper, but does not attempt to impersonate ransomware, as Apostle originally did," the company said. . “Instead, it goes to work directly erasing the data. Casualties have been seen in South Africa, where reconnaissance began several weeks before Fantasy's release, in Israel and Hong Kong.
Investigators suspect that Agrius targeted the Israeli company's software update mechanisms, allowing them to infect terminals (opens in a new tab) belonging to their clients: a diamond dealer and a human resources consultancy in Israel, a diamond company in South Africa and a jeweler. In Hongkong.
The threat actor searched for known vulnerabilities in Internet-accessible applications and used them to implement web shells. This allowed them to maintain persistence on target networks, move laterally, and ultimately deliver the malicious payload.
“Since its discovery in 2021, Agrius has only focused on destructive operations,” the researchers explained. "Fantasy is similar in many ways to Agrius' previous cleaner, Apostle, which initially masqueraded as ransomware before being rewritten to become real ransomware."
Fantasy, on the other hand, “makes no effort to disguise itself as ransomware. Agrius operators used a new tool, Sandals, to remotely log into systems and run Fantasy.
Via: Infosecurity Magazine (opens in a new tab)
