https://safirsoft.com Disk-wiping malware with Iranian fingerprints is striking Israeli targets

Dubbed Apostle, never-before-seen wiper masquerades as ransomware.

Researchers say they’ve uncovered never-before-seen disk-wiping malware that’s disguising itself as ransomware as it unleashes destructive attacks on Israeli targets.

Apostle, as researchers at security firm SentinelOne are calling the malware, was initially deployed in an attempt to wipe data but failed to do so, likely because of a logic flaw in its code. The internal name its developers gave it was “wiper-action.” In a later version, the bug was fixed and the malware gained full-fledged ransomware behaviors, including the leaving of notes demanding victims pay a ransom in exchange for a decryption key.

A clear line

In a post published Tuesday, SentinelOne researchers said they assessed with high confidence that, based on the code and the servers Apostle reported to, the malware was being used by a never-before-seen group with ties to the Iranian government. While a ransomware note they recovered suggested that Apostle had been used against a critical facility in the United Arab Emirates, the primary target was Israel.

“The usage of ransomware as a disruptive tool is usually hard to prove, as it is difficult to determine a threat actor’s intentions,” Tuesday’s report stated. “Analysis of the Apostle malware provides a rare insight into those kinds of attacks, drawing a clear line between what began as a wiper malware to a fully operational ransomware.”

The researchers have dubbed the newly discovered hacking group Agrius. SentinelOne saw the group first using Apostle as a disk wiper, although a flaw in the malware prevented it from doing so, most likely because of a logic error in its code. Agrius then fell back on Deadwood, a wiper that had already been used against a target in Saudi Arabia in 2019.

Advertisement

When Agrius released a new version of Apostle, it was full-fledged ransomware.

“We believe the implementation of the encryption functionality is there to mask its actual intention—destroying victim data,” Tuesday’s post stated. “This thesis is supported by an early version of Apostle that the attackers internally named ‘wiper-action.’”

Apostle has major code overlap with a backdoor, called IPSec Helper, that Agrius also uses. IPSec Helper receives a host of commands, such as downloading and executing an executable file, that are issued from the attacker's control server. Both Apostle and IPSec Helper are written in the .Net language.

Agrius also uses webshells so that attackers can move laterally inside a compromised network. To conceal their IP addresses, members use the ProtonVPN.

An affinity for wipers

Iranian-sponsored hackers already had an affinity for disk wipers. In 2012, self-replicating malware tore through the network of Saudi Arabia-based Saudi Aramco, the world’s largest crude exporter, and permanently destroyed the hard drives of more than 30,000 workstations. Researchers later identified the wiper worm as Shamoon and said it was the work of Iran.

In 2016, Shamoon reappeared in a campaign that struck at multiple organizations in Saudi Arabia, including several government agencies. Three years later, researchers uncovered a new Iranian wiper called ZeroCleare.

Further ReadingTuesday’s massive ransomware outbreak was, in fact, something much worseApostle isn’t the first wiper to be disguised as ransomware. NotPetya, the worm that inflicted billions of dollars of damage worldwide, also masqueraded as ransomware until researchers determined that it was created by Russian government-backed hackers to destabilize Ukraine.

SentinelOne Principal Threat Researcher Juan Andres Guerrero-Saade said in an interview that malware like Apostle illustrates the interplay that often occurs between financially motivated cybercriminals and nation-state hackers.

“The threat ecosystem keeps evolving, with attackers developing different techniques to achieve their goals,” he said. “We see cybercriminal gangs learning from the better resourced nation-state groups. Likewise, the nation-state groups are borrowing from criminal gangs—masquerading their disruptive attacks under the guise of ransomware with no indication as to whether victims will in fact get their files back in exchange for a ransom.”

Disk-wiping malware with Iranian fingerprints is striking Israeli targets
disk-wiping-malware-with-iranian-fingerprints-is-striking.html

https://safirsoft.com Here are a bunch of iOS 15 features that Apple didn’t mention earlier

Here are a bunch of iOS 15 features that Apple didn’t mention earlier

As usual, some of the most intriguing changes weren't necessarily the biggest.

As Apple's annual WWDC conference wraps up, we have a whole week ...

https://safirsoft.com CD Projekt Red says its data is likely circulating online after ransom attack

CD Projekt Red says its data is likely circulating online after ransom attack

Data taken in breach disclosed in February likely related to employees and contractors.

CD Projekt Red, the maker of The Witcher series, Cyberpu...

https://safirsoft.com MySQL 101: Installation, care, and feeding on Ubuntu

MySQL 101: Installation, care, and feeding on Ubuntu

If you've got 15 minutes, we can show you the ropes of basic MySQL management.

One of the tasks nearly any sysadmin frequently encounters is the...

https://safirsoft.com Google Chrome ends its war on address bar URLs—for now, at least

Google Chrome ends its war on address bar URLs—for now, at least

As it turns out, hiding URL information does not help security.

Chrome is ending its war on address bar URLs—at least for now. About a year a...

https://safirsoft.com Android 12’s beautiful color-changing UI already lives up to the hype

Android 12’s beautiful color-changing UI already lives up to the hype

Android 12's "Material You" UI debuts in Beta 2, and we go hands-on.

Android 12 Beta 2 came out this week, and with it, a lot of features we've ...

https://safirsoft.com iOS, web versions of Dark Sky weather app will shut down in 2022

iOS, web versions of Dark Sky weather app will shut down in 2022

Apple already shut down the Android version after acquiring the app last year.

A new blog post from the developers of Apple-owned, hyperlocal we...