An advanced persistent threat (APT) organisation with an Iranian basis has recently targeted significant enterprises in the diamond sector (as well as a few nearby ones).
Agrius, a threat actor that launched a supply chain assault on an Israeli software developer and, through it, a number of diamond firms spanning three continents, was recently detected by cybersecurity experts from ESET’s welivesecurity division.
According to a study report by ESET, the latest data wiper from Agrius named Fantasy was intended for the Israeli company. This wiper has several significant variations from Agrius’ earlier instrument, Apostle.
The Fantasy wiper, which the firm described as being based on the Apostle wiper previously disclosed, “does not try to pose as ransomware, as Apostle initially did,” it claimed. “Instead, it immediately starts deleting data. Victims were seen in Israel, Hong Kong, and South Africa, where reconnaissance started weeks prior to Fantasy’s deployment.
The researchers believe that Agrius targeted the Israeli business’s software update processes, giving them access to endpoints (opens in new tab) belonging to its customers, including an Israeli diamond retailer and HR consulting firm, a South African diamond company, and a Hong Kong jeweller.
The threat actor utilised the to install web shells after looking for known vulnerabilities in internet-facing apps. Due to their ability to travel laterally and retain persistence on the target networks, they were able to deliver the malicious payload in the end.
The researchers said, “Since its discovery in 2021, Agrius has been completely focused on destructive actions. Fantasy resembles Apostle, a prior Agrius wiper that first pretended to be ransomware before being rebuilt to really be ransomware, in many ways.
On the other hand, Fantasy “does not attempt to pass as ransomware. Operators at Agrius connected remotely to systems and ran Fantasy using a new tool called Sandals.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover