Agrius group targets Israel with data-wipers disguised as ransomware

Pierluigi Paganini May 26, 2021

An Iran-linked threat actor tracked as Agrius employed data-wipers disguised as ransomware to destroy targeted IT infrastructure.

Researchers from cyber-security firm SentinelOne discovered a new Iran-linked threat actor, tracked as Agrius, which relied on data-wiping malware disguised as ransomware to destroy the targeted systems.

In order to hide the real nature of the threat, the attackers were asking for ransoms to the victims simulating a ransomware attack.

According to the experts, the Agrius group has been active since early 2020. Initial attacks targeted entities in the Middle East region, but since December 2020, Agrius extended its operations to Israeli targets.

“The attacks were carried out using DEADWOOD (aka Detbosit), a wiper with unconfirmed links to an Iranian threat group.” reads the post published by SentinelOne. “Agrius actors also dropped a novel wiper named ‘Apostle’ and a custom .NET backdoor called ‘IPsec Helper’.”

Agrius used a data-wiping malware named DEADWOOD (aka Detbosit), which was also used by other Iranian threat actors in past attacks. The threat actors leverage VPN services (primarily ProtonVPN) to fly under the radar when accessing public facing applications of the targets.

Attackers deploy the malware on unpatched servers by exploiting known vulnerabilities, then they used it to deploy the ASPXSpy web shell, and then custom .NET backdoor IPSec Helper.

“Agrius uses those webshells to tunnel RDP traffic in order to leverage compromised accounts to move laterally. During this phase, the attackers use a variety of publicly available offensive security tools for credential harvesting and lateral movement.” continues the report.


Once deployed the DEADWOOD malware, the malicious code destroy MBR partitions and wipe all files on the infected system. The malicious code ask for a ransom payment as a diversive tactic.

In recent attacks, the Agrius group also dropped another wiper tracked as ‘Apostle,’ which is continuously improved by the attackers. Recent Apostle version supports all common ransomware features.

“One of the wipers used in the attack, dubbed ‘Apostle’, was later turned into a fully functional ransomware, replacing its wiper functionalities. The message inside it suggests it was used to target a critical, nation-owned facility in the United Arab Emirates. The similarity to its wiper version, as well as the nature of the target in the context of regional disputes, leads us to believe that the operators behind it are utilizing ransomware for its disruptive capabilities.” continues the report.

Despite the malware implemented full functional ransomware capabilities, experts believe it was developed to destroy the target systems, a circumstance that suggests the attackers are not financially motivated.

SentinelOne researchers believe the attacks against Israeli entities confirms the threat actors could be linked to Tehran.

Agrius is a new threat group that we assess with medium confidence to be of Iranian origin, engaged in both espionage and disruptive activity. The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organizations in the Middle East.” concludes the report. “Early May 2021 saw another set of disruptive ransomware attacks attributed to Iran targeting Israel from the n3tw0rm ransomware group, a newly-identified threat actor with links to the 2020 Pay2Key attacks. The close proximity of the Agrius and n3tw0rm campaigns suggest they may be part of a larger, coordinated Iranian strategy.

SentinelOne also released a technical report on the activities of the group that also includes Indicators of compromise (IOCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Agrius)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment