A new threat actor suspected to be associated with Iran has been observed conducting destructive wiper attacks disguised as ransomware attacks against Israeli targets.

Dubbed Agrius by SentinelOne researchers, the group has been active since early 2020 primarily targeting entities in the Middle East region, but in December 2020 the threat actor has switched its focus to Israel.

“An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets. The operators behind the attacks intentionally masked their activity as ransomware attacks,” SentinelOne wrote.

“The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups. Considering this and the nature of the known targets, we assess this is a nation-sponsored threat group.”

In attacks observed by the cybersecurity firm Agrius deployed several wipers and a custom .NET backdoor called ‘IPsec Helper’. One of the wipers was DEADWOOD (aka Detbosit), a data-wiping malware, which was also used by other Iranian threat actors in past attacks.

To get a foothold on the target system the group usually takes advantage of publicly available 1-day exploits in web-based apps or SQL injection, as well as uses VPN services (primarily ProtonVPN) for anonymization when accessing the public facing applications of its targets. Upon gaining initial access Agrius deploys webshells (mostly variations of ASPXSpy), or accesses the target by using the target organization’s VPN solution. The group then uses the webshells to tunnel RDP traffic in order to leverage compromised accounts to move laterally and utilizes a variety of publicly available offensive security tools for credential harvesting and lateral movement.

The main implant used by Agrius is IPsec Helper, a backdoor, which allows them to upload files from infected systems, run commands and download additional malware. IPsec Helper runs as a service and intermittently checks for an internet connection by connecting to pre-determined Microsoft servers to grab the Apostle .NET malware, according to SentinelOne.

“Apostle is a .NET malware whose functionality iteratively developed from a wiper to full-fledged ransomware. We believe the implementation of the encryption functionality is there to mask its actual intention: Destroying victim data,” the report said.

"Agrius is a new threat group that we assess with medium confidence to be of Iranian origin, engaged in both espionage and disruptive activity. The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organizations in the Middle East. In some cases, the group leveraged its access to deploy destructive wiper malware, and in others a custom ransomware. Considering this, we find it unlikely that Agrius is a financially motivated threat actor,” the researchers concluded.