ESET researchers analyzed a supply-chain assault abusing an Israeli software program developer to deploy Fantasy, Agrius’s new wiper, with victims together with the diamond trade
ESET researchers found a brand new wiper and its execution device, each attributed to the Agrius APT group, whereas analyzing a supply-chain assault abusing an Israeli software program developer. The group is thought for its harmful operations.
In February 2022, Agrius started concentrating on Israeli HR and IT consulting corporations, and customers of an Israeli software program suite used within the diamond trade. We imagine that Agrius operators carried out a supply-chain assault abusing the Israeli software program developer to deploy their new wiper, Fantasy, and a brand new lateral motion and Fantasy execution device, Sandals.
The Fantasy wiper is constructed on the foundations of the beforehand reported Apostle wiper however doesn’t try to masquerade as ransomware, as Apostle initially did. As an alternative, it goes proper to work wiping information. Victims have been noticed in South Africa – the place reconnaissance started a number of weeks earlier than Fantasy was deployed – Israel, and Hong Kong.
- Agrius carried out a supply-chain assault abusing an Israeli software program suite used within the diamond trade.
- The group then deployed a brand new wiper we named Fantasy. Most of its code base comes from Apostle, Agrius’s earlier wiper.
- Together with Fantasy, Agrius additionally deployed a brand new lateral motion and Fantasy execution device that we’ve got named Sandals.
- Victims embody Israeli HR corporations, IT consulting firms, and a diamond wholesaler; a South African group working within the diamond trade; and a jeweler in Hong Kong.
Group overview
Agrius is a more moderen Iran-aligned group concentrating on victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper, Apostle, disguised as ransomware, however later modified Apostle into totally fledged ransomware. Agrius exploits identified vulnerabilities in internet-facing purposes to put in webshells, then conducts inside reconnaissance earlier than shifting laterally after which deploying its malicious payloads.
Marketing campaign overview
On February 20th, 2022 at a corporation within the diamond trade in South Africa, Agrius deployed credential harvesting instruments, in all probability in preparation for this marketing campaign. Then, on March 12th, 2022, Agrius launched the wiping assault by deploying Fantasy and Sandals, first to the sufferer in South Africa after which to victims in Israel and lastly to a sufferer in Hong Kong.
Victims in Israel embody an IT help companies firm, a diamond wholesaler, and an HR consulting agency. South African victims are from a single group within the diamond trade, with the Hong Kong sufferer being a jeweler.
Determine 1. Sufferer timeline and places
The marketing campaign lasted lower than three hours and inside that timeframe ESET clients have been already protected with detections figuring out Fantasy as a wiper, and blocking its execution. We noticed the software program developer pushing out clear updates inside a matter of hours of the assault. We reached out to the software program developer to inform them a couple of potential compromise, however our enquiries went unanswered.
Making ready for departure
The primary instruments deployed by Agrius operators to sufferer techniques, by way of means unknown, have been:
- MiniDump, “a C# implementation of mimikatz/pypykatz minidump performance to get credentials from LSASS dumps”
- SecretsDump, a Python script that “performs numerous strategies to dump hashes from [a] distant machine with out executing any agent there”
- Host2IP, a customized C#/.NET device that resolves a hostname to an IP tackle.
Usernames, passwords, and hostnames collected by these instruments are required for Sandals to efficiently unfold and execute the Fantasy wiper. Agrius operators deployed MiniDump and SecretsDump to this marketing campaign’s first sufferer on February 20th, 2022, however waited till March 12th, 2022 to deploy Host2IP, Fantasy, and Sandals (consecutively).
Sandals: Igniting the Fantasy (wiper)
Sandals is a 32-bit Home windows executable written in C#/.NET. We selected the title as a result of Sandals is an anagram of among the command line arguments it accepts. It’s used to connect with techniques in the identical community through SMB, to jot down a batch file to disk that executes the Fantasy wiper, after which run that batch file through PsExec with this command line string:
- PsExec.exe /accepteula -d -u “<username>” -p “<password>” -s “C:<path><GUID>.bat”
The PsExec choices have the next meanings:
- -d – Don’t watch for course of to terminate (non-interactive).
- /accepteula – Suppress show of the license dialog.
- -s – Run the distant course of within the SYSTEM account.
Sandals doesn’t write the Fantasy wiper to distant techniques. We imagine that the Fantasy wiper is deployed through a supply-chain assault utilizing the software program developer’s software program replace mechanism. This evaluation is predicated on a number of elements:
- all victims have been clients of the affected software program developer;
- the Fantasy wiper was named in a similar way to official variations of the software program;
- all victims executed the Fantasy wiper inside a 2.5 hour timeframe, the place victims in South Africa have been focused first, then victims in Israel, and eventually victims in Hong Kong (we attribute the delay in concentrating on to time zone variations and a hardcoded check-in time throughout the official software program); and,
- lastly, the Fantasy wiper was written to, and executed from, %SYSTEMpercentWindowsTemp, the default temp listing for Home windows techniques.
Moreover, we imagine the victims have been already utilizing PsExec, and Agrius operators selected to make use of PsExec to mix into typical administrative exercise on the victims’ machines, and for ease of batch file execution. Desk 1 lists the command line arguments accepted by Sandals.
Desk 1. Sandals arguments and their descriptions
| Argument | Description | Required |
|---|---|---|
| -f <filepath> | A path and filename to a file that accommodates an inventory of hostnames that needs to be focused. | Sure |
| -u <username> | The username that will likely be used to log into the distant hostname(s) in argument -f. | Sure |
| -p <password> | The username that will likely be used to log into the distant hostname(s) in argument -f. | Sure |
| -l <filepath> | The trail and filename of the Fantasy wiper on the distant system that will likely be executed by the batch file created by Sandals. | Sure |
| -d <path> | The placement to which Sandals will write the batch file on the distant system. Default location is %WINDOWSpercentTemp. | No |
| -s <integer> | The period of time, in seconds, that Sandals will sleep between writing the batch file to disk and executing. The default is 2 seconds. | No |
| -a file <filepath> or -a random or -a rsa |
If -a is adopted by the phrase file and a path and filename, Sandals makes use of the encryption key within the equipped file. If -a is adopted by rsa or random, Sandals makes use of the RSACryptoServiceProvider class to generate a public-private key pair with a key measurement of two,048. | No |
| Specifies which drive to attach with on a distant system over SMB. Default is C:. | No | |
| -ps <filepath> | Location of PsExec on disk. Default is psexec.exe within the present working listing. | No |
| -ra | If -ra is equipped at runtime, it units the variable flag to True (initially set to False). If flag=True, Sandals deletes all information written to disk within the present working listing. If flag=False, Sandals skips the file cleanup step. | No |
The batch file written to disk by Sandals is called <GUID>.bat, the place the filename is the output of the Guid.NewGuid() methodology. An instance of a Sandals batch file is proven in Determine 2.
Determine 2. Sandals batch file (high, in purple) and the decoded command line parameter (backside, in blue)
The base64 string that follows fantasy35.exe is probably going a relic of the execution necessities of Apostle (extra particulars within the Attribution to Agrius part). Nevertheless, the Fantasy wiper solely appears for an argument of 411 and ignores all different runtime enter (see the following part for extra data).
Fantasy wiper
The Fantasy wiper can be a 32-bit Home windows executable written in C#/.NET, so named for its filenames: fantasy45.exe and fantasy35.exe, respectively. Determine 3 depicts the execution circulate of the Fantasy wiper.
Determine 3. Fantasy wiper execution circulate
Initially, Fantasy creates a mutex to make sure that just one occasion is operating. It collects an inventory of mounted drives however excludes the drive the place the %WINDOWS% listing exists. Then it enters a for loop iterating over the drive checklist to construct a recursive listing itemizing, and makes use of the RNGCryptoServiceProvider.GetBytes methodology to create a cryptographically robust sequence of random values in a 4096-byte array. If a runtime argument of 411 is equipped to the wiper, the for loop overwrites the contents of each file with the aforementioned byte array utilizing a nested whereas loop. In any other case, the for loop solely overwrites information with a file extension listed within the Appendix.
Fantasy then assigns a particular timestamp (2037-01-01 00:00:00) to those file timestamp properties:
- CreationTime
- LastAccessTime
- LastWriteTime
- CreationTimeUtc
- SetLastAccessTimeUtc
- LastWriteTimeUtc
after which deletes the file. That is presumably carried out to make restoration and forensic evaluation harder.
In the course of the for loop, the Fantasy wiper counts errors throughout the present listing when making an attempt to overwrite information. If the variety of errors exceeds 50, it writes a batch file, %WINDOWSpercentTemp<GUID>.bat, that deletes the listing with the information inflicting the errors, after which self-deletes. File wiping then resumes within the subsequent listing within the goal checklist.
As soon as the for loop completes, the Fantasy wiper creates a batch file in %WINDOWSpercentTemp known as registry.bat. The batch file deletes the next registry keys:
- HKCR.EXE
- HKCR.dll
- HKCR*
Then it runs the next to aim to clear file system cache reminiscence:
- %windirpercentsystem32rundll32.exe advapi32.dll,ProcessIdleTasks
Lastly, registry.bat deletes itself (del %0).
Subsequent, the Fantasy wiper clears all Home windows occasion logs and creates one other batch file, system.bat, in %WINDOWSpercentTemp, that recursively deletes all information on %SYSTEMDRIVE%, makes an attempt to clear file system cache reminiscence, and self-deletes. Then Fantasy sleeps for 2 minutes earlier than overwriting the system’s Grasp Boot Report.
Fantasy then writes one other batch file, %WINDOWSpercentTempremover.bat, that deletes the Fantasy wiper from disk after which deletes itself. Then Fantasy wiper sleeps for 30 seconds earlier than rebooting the system with purpose code SHTDN_REASON_MAJOR_OTHER (0x00000000) — Different concern.
It’s seemingly that %SYSTEMDRIVE% restoration is feasible. Victims have been noticed to be again up and operating inside a matter of hours.
Attribution to Agrius
A lot of the code base from Apostle, initially a wiper masquerading as ransomware then up to date to precise ransomware, was instantly copied to Fantasy and plenty of different capabilities in Fantasy have been solely barely modified from Apostle, a identified Agrius device. Nevertheless, the general performance of Fantasy is that of a wiper with none try to masquerade as ransomware. Determine 4 reveals the file deletion capabilities in Fantasy and Apostle, respectively. There are just a few small tweaks between the unique perform in Apostle and the Fantasy implementation.
Determine 4. File deletion capabilities from the Fantasy wiper (high, in purple) and Apostle ransomware (backside, in inexperienced)
Determine 4. File deletion capabilities from the Fantasy wiper (high, in purple) and Apostle ransomware (backside, in inexperienced)
Determine 5 reveals that the listing itemizing perform is sort of a direct copy, with solely the perform variables getting a slight tweak between Apostle and Fantasy.
Determine 5. Listing itemizing capabilities from the Fantasy wiper (high, in purple) and Apostle ransomware (backside, in inexperienced)
Lastly, the GetSubDirectoryFileListRecursive perform in Determine 6 can be virtually an actual copy.
Determine 6. Recursive listing itemizing capabilities from the Fantasy wiper (high, in purple) and Apostle ransomware (backside, in inexperienced)
Along with the code reuse, we will see remnants of the Apostle execution circulate in Fantasy. Within the authentic evaluation of Apostle, SentinelOne notes that “Correct execution of the ransomware model requires supplying it with a base64 encoded argument containing an XML of an ‘RSAParameters’ object. This argument is handed on and saved because the Public Key used for the encryption course of and is most definitely generated on a machine owned by the risk actor.” We are able to see within the batch file in Determine 7, which Sandals creates on distant techniques to launch Fantasy, that the identical base64-encoded argument containing an XML of an RSAParameters object is handed to Fantasy at runtime. Fantasy, nonetheless, doesn’t use this runtime argument.
Determine 7. Sandals passing to Fantasy the identical RSAParameters object as was utilized by Apostle ransomware
Conclusion
Since its discovery in 2021, Agrius has been solely centered on harmful operations. To that finish, Agrius operators in all probability executed a supply-chain assault by concentrating on an Israeli software program firm’s software program updating mechanisms to deploy Fantasy, its latest wiper, to victims in Israel, Hong Kong, and South Africa. Fantasy is comparable in lots of respects to the earlier Agrius wiper, Apostle, that originally masqueraded as ransomware earlier than being rewritten to be precise ransomware. Fantasy makes no effort to disguise itself as ransomware. Agrius operators used a brand new device, Sandals, to attach remotely to techniques and execute Fantasy.
ESET Analysis additionally provides personal APT intelligence experiences and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.
IoCs
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 1A62031BBB2C3F55D44F59917FD32E4ED2041224 | fantasy35.exe | MSIL/KillDisk.I | Fantasy wiper. |
| 820AD7E30B4C54692D07B29361AECD0BB14DF3BE | fantasy45.exe | MSIL/KillDisk.I | Fantasy wiper. |
| 1AAE62ACEE3C04A6728F9EDC3756FABD6E342252 | host2ip.exe | clear | Resolves a hostname to an IP tackle. |
| 5485C627922A71B04D4C78FBC25985CDB163313B | MiniDump.exe | MSIL/Riskware.LsassDumper.H | Implementation of Mimikatz minidump that dumps credentials from LSASS. |
| DB11CBFFE30E0094D6DE48259C5A919C1EB57108 | registry.bat | BAT/Agent.NRG | Batch file that wipes some registry keys and is dropped and executed by the Fantasy wiper. |
| 3228E6BC8C738781176E65EBBC0EB52020A44866 | secretsdump.py | Python/Impacket.A | Python script that dumps credential hashes. |
| B3B1EDD6B80AF0CDADADD1EE1448056E6E1B3274 | spchost.exe | MSIL/Agent.XH | Sandals lateral motion device and Fantasy spreader. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 12 of the MITRE ATT&CK framework.
| Tactic | ID | Title | Description |
|---|---|---|---|
| Useful resource Improvement | T1587 | Develop Capabilities | Agrius builds utility instruments to make use of throughout an energetic exploitation course of. |
| T1587.001 | Develop Capabilities: Malware | Agrius builds customized malware together with wipers (Fantasy) and lateral motion instruments (Sandals). | |
| Preliminary Entry | T1078.002 | Legitimate Accounts: Area Accounts | Agrius operators tried to seize cached credentials after which use them for lateral motion. |
| T1078.003 | Legitimate Accounts: Native Accounts | Agrius operators tried to make use of cached credentials from native accounts to achieve preliminary entry to extra techniques inside an inside community. | |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | Fantasy and Sandals each use batch information that run through the Home windows command shell. |
| Privilege Escalation | T1134 | Entry Token Manipulation | Fantasy makes use of the LookupPrivilegeValue and AdjustTokenPrivilege APIs in advapi32.dll to grant its course of token the SeShutdownPrivilege to reboot Home windows. |
| Protection Evasion | T1070.006 | Indicator Removing on Host: Timestomp | Agrius operators timestomped the compilation timestamps of Fantasy and Sandals. |
| Credential Entry | T1003 | OS Credential Dumping | Agrius operators used a number of instruments to dump OS credentials to be used in lateral motion. |
| Discovery | T1135 | Community Share Discovery | Agrius operators used cached credentials to test for entry to different techniques inside an inside community. |
| Lateral Motion | T1021.002 | Distant Providers: SMB/Home windows Admin Shares | Agrius operators used cached credentials to attach over SMB to techniques inside an exploited inside community. |
| T1570 | Lateral Instrument Switch | Agrius operators used Sandals to push batch information over SMB to different techniques inside an inside community. | |
| Affect | T1485 | Knowledge Destruction | The Fantasy wiper overwrites information in information after which deletes the information. |
| T1561.002 | Disk Wipe | Fantasy wipes the MBR of the Home windows drive and makes an attempt to wipe the OS partition. | |
| T1561.001 | Disk Wipe: Disk Content material Wipe | Fantasy wipes all disk contents from non-Home windows drives which can be mounted drives. | |
| T1529 | System Shutdown/Reboot | Fantasy reboots the system after finishing its disk and information wiping payloads. |
Appendix
File extensions (682) focused by Fantasy wiper when not concentrating on all file extensions. File extensions highlighted in yellow (68) are frequent filename extensions in Home windows. Notably absent are file extensions dll and sys.
| $$$ | mix | drw | jsp | nyf | qualsoftcode | tdb |
| $db | blend1 | dsb | kb2 | oab | quicken2015backup | tex |
| 001 | blend2 | dss | kbx | obj | quicken2016backup | tga |
| 002 | blob | dtd | kc2 | obk | quicken2017backup | thm |
| 003 | bm3 | dwg | kdb | odb | quickenbackup | tib |
| 113 | bmk | dxb | kdbx | odc | qv~ | tibkp |
| 3dm | bookexport | dxf | kdc | odf | r3d | tif |
| 3ds | bpa | dxg | key | odg | raf | tig |
| 3fr | bpb | em1 | kf | odm | rar | tis |
| 3g2 | bpm | epk | kpdx | odp | rat | tlg |
| 3gp | bpn | eps | structure | ods | uncooked | tmp |
| 3pr | bps | erbsql | lbf | odt | rb | tmr |
| 73b | bpw | erf | lcb | oeb | rbc | tor |
| 7z | bsa | esm | ldabak | ogg | rbf | trn |
| __a | bup | exe | litemod | oil | rbk | ttbk |
| __b | c | exf | llx | outdated | rbs | txt |
| ab | caa | fbc | lnk | onepkg | rdb | uci |
| ab4 | cas | fbf | ltx | orf | re4 | upk |
| aba | cbk | fbk | lua | ori | rgss3a | v2i |
| abbu | cbs | fbu | lvl | orig | rim | vb |
| abf | cbu | fbw | m | ost | rm | vbk |
| abk | cdf | fdb | m2 | otg | rmbak | vbm |
| abu | cdr | ff | m3u | oth | rmgb | vbox-prev |
| abu1 | cdr3 | ffd | m4a | otp | rofl | vcf |
| accdb | cdr4 | fff | m4v | ots | rrr | vdf |
| accde | cdr5 | fh | map | ott | rtf | vfs0 |
| accdr | cdr6 | fhd | max | oyx | rw2 | vmdk |
| accdt | cdrw | fhf | mbf | p12 | rwl | vob |
| ach | cdx | fla | mbk | p7b | rwz | vpcbackup |
| acp | ce2 | flat | mbw | p7c | s3db | vpk |
| acr | cel | flka | mcmeta | pab | safenotebackup | vpp_pc |
| act | cenon~ | flkb | mdb | pages | sas7bdat | vrb |
| adb | cer | flv | mdbackup | pak | sav | vtf |
| adi | cfp | fmb | mdc | paq | say | w01 |
| advertisements | cfr | forge | mddata | pas | sb | w3x |
| aea | cgm | fos | mdf | pat | sbb | pockets |
| afi | cib | fpk | mdinfo | pba | sbs | walletx |
| agdl | ck9 | fpsx | mef | pbb | sbu | conflict |
| ai | class | fpx | mem | pbd | sdO | wav |
| ait | cls | fsh | menu | pbf | sda | wb2 |
| al | cmf | ftmb | mfw | pbj | sdc | wbb |
| apj | cmt | ful | mig | pbl | sdf | wbcat |
| apk | config | fwbackup | mkv | pbx5script | sid | wbk |
| arc | cpi | fxg | mlx | pbxscript | sidd | wbx |
| arch00 | cpp | fza | mmw | pcd | sidn | win |
| arw | cr2 | fzb | moneywell | pct | sie | wjf |
| as4 | craw | gb1 | mos | pdb | sim | wma |
| asd | crds | gb2 | mov | pdd | sis | wmo |
| asf | crt | gbp | mp3 | skb | wmv | |
| ashbak | crw | gdb | mp4 | pef | sldm | wotreplay |
| asm | cs | gho | mpb | pem | sldx | wpb |
| asmx | csd | ghs | mpeg | pfi | slm | wpd |
| asp | csh | grey | mpg | pfx | sln | wps |
| aspx | csl | gray | mpqge | php | sme | wspak |
| asset | csm | gry | mrw | php5 | sn1 | wxwanam |
| asv | css | gs-bck | mrwref | phtml | sn2 | x |
| asvx | csv | gz | msg | pk7 | sna | x11 |
| asx | d3dbsp | h | msi | pkpass | sns | x3f |
| ate | da0 | hbk | msim | pl | snx | xbk |
| ati | dac | hkdb | mv_ | plc | spf | xf |
| avi | das | hkx | myd | plc | spg | xis |
| awg | sprint | hplg | mynotesbackup | png | spi | xla |
| ba6 | dazip | hpp | nb7 | pot | sps | xlam |
| ba7 | db | htm | nba | potm | sqb | xlk |
| ba8 | db-journal | htm1 | nbak | potx | sql | xlm |
| ba9 | db0 | html | nbd | ppam | sqlite | xlr |
| bac | db3 | hvpl | nbd | pps | sqlite3 | xls |
| again | dba | ibank | nbf | ppsm | sqlitedb | xlsb |
| backup | dbf | ibd | nbi | ppsx | sr2 | xlsm |
| backup1 | dbk | ibk | nbk | ppt | srf | xlsx |
| backupdb | dbs | ibz | nbs | pptm | srr | xlt |
| bak | dbx | icbu | nbu | pptx | srt | xltm |
| bak2 | dc2 | icf | ncf | pqb-backup | srw | xltx |
| bak3 | dcr | icxs | nco | prf | st4 | xlw |
| bakx | dcs | idx | nd | prv | st6 | xml |
| bak~ | ddd | iif | nda | ps | st7 | ycbcra |
| financial institution | ddoc | iiq | ndd | psa | st8 | yrcbck |
| bar | ddrw | incpas | nef | psafe3 | std | yuv |
| bat | dds | indd | nfb | psd | stg | zbfx |
| bay | der | index | nfc | psk | sti | zip |
| bbb | des | inprogress | nk2 | pspimage | stw | ztmp |
| bbz | desc | ipd | nop | pst | stx | ~cw |
| bc6 | design | iso | noy | ptb | sty | |
| bc7 | dgc | itdb | npf | ptx | sum | |
| bck | dim | itl | nps | pvc | sv$ | |
| bckp | divx | itm | nrbak | pvhd | sv2i | |
| bcm | diy | iv2i | nrs | py | svg | |
| bdb | djvu | iwd | nrw | qba | swf | |
| bff | dmp | iwi | ns2 | qbb | sxc | |
| bgt | dna | j01 | ns3 | qbk | sxd | |
| bif | dng | jar | ns4 | qbm | sxg | |
| bifx | doc | java | nsd | qbmb | sxi | |
| huge | docm | jbk | nsf | qbmd | sxm | |
| bik | docx | jdc | nsg | qbr | sxw | |
| bk1 | dot | jpa | nsh | qbw | syncdb | |
| bkc | dotm | jpe | ntl | qbx | t12 | |
| bkf | dotx | jpeg | nwb | qby | t13 | |
| bkp | dov | jpg | nwbak | qdf | tar | |
| bkup | dpb | jps | nx2 | qic | tax | |
| bkz | drf | js | nxl | qsf | tbk |
