The threat group pretends to encrypt files for a ransom, destroys them instead.
The Agrius hacking group has shifted to use a combination of wiper and ransomware functionality that pretends to hold data to ransom as a final stage in attacks.
SentinelOne researchers that analysed the group’s latest movements said that Agrius was first spotted in attacks against Israeli targets in 2020.
The group uses a combination of its own custom toolsets and readily available offensive security software to deploy either a destructive wiper or a custom wiper-turned-ransomware variant.
Unlike usual ransomware groups, Agrius doesn’t seem to be purely motivated by money — instead, the use of ransomware is a new addition to attacks focused on cyberespionage and destruction.
In certain attacks traced by SentinelOne when only a wiper was deployed, Agrius would pretend to have stolen and encrypted information to extort victims — but this information had already been destroyed by the wiper.
The researchers stated that Agrius intentionally masked their activity as a ransomware attack, while they were actually engaging in destructive attacks against Israeli targets.
During the first stages of an attack, Agrius will use virtual private network (VPN) software while accessing public-facing apps or services belonging to its intended victim before attempting an exploit, through compromised accounts and software vulnerabilities.
For example, a vulnerability in FortiOS was widely used in exploit attempts against targets in Israel.
If successful, webshells are then deployed, public cybersecurity tools are used for credential harvesting and network movement, and malware payloads are then deployed.
Agrius’ toolkit includes Deadwood (also known as Detbosit), a destructive wiper malware strain. Both APT33 and APT34 have been connected to the use of wipers including Deadwood, Shamoon, and ZeroCleare.
During attacks, Agrius also inserts a custom .NET backdoor called IPsec Helper for persistence and to create a connection with a command-and-control (C2) server. In addition, the group will drop a novel .NET wiper dubbed Apostle.
According to SentinelOne, Agrius has no solid connections to other, established threat groups, but due to its interests in Iranian issues, the deployment of web shells with ties to Iranian-built variants, and the use of wipers in the first place — an attack technique linked to Iranian APTs as far back as 2002 — indicate the group is likely to be of Iranian origin.