An Iran-based advanced persistent threat (APT) group known as Agrius has conducted supply chain-focused attacks against the diamond industry (and others) across three continents.
The claims come from security researchers at welivesecurity by ESET, who published an advisory about Agrius on Wednesday.
In the technical write-up, ESET senior threat intelligence analyst Adam Burgher said the team analyzed a supply chain attack targeted at an Israeli software developer to deploy Fantasy, Agrius’s new wiper.
“The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did,” Burgher explained.
“Instead, it goes right to work wiping data. Victims were observed in South Africa – where reconnaissance began several weeks before Fantasy was deployed – Israel and Hong Kong.”
Burgher added that victims in Israel included an IT support services company, a diamond seller and an HR consulting firm. South African victims, on the other hand, were from a single organization in the diamond industry, and the Hong Kong victim was a jeweler.
In terms of tactics, the ESET researchers explained Agrius typically exploits known vulnerabilities in internet-facing applications to install web shells. The group then conducts internal reconnaissance before moving laterally and deploying its malicious payloads.
“Since its discovery in 2021, Agrius has been solely focused on destructive operations,” Burgher wrote.
Because of this, the security researcher said Agrius operators possibly executed a supply-chain attack by targeting the Israeli software company’s software updating mechanisms to deploy Fantasy to victims in Israel, Hong Kong and South Africa.
“Fantasy is similar in many respects to the previous Agrius wiper, Apostle, that initially masqueraded as ransomware before being rewritten to be actual ransomware,” Burgher added.
“[It] makes no effort to disguise itself as ransomware. Agrius operators used a new tool, Sandals, to connect remotely to systems and execute Fantasy.”
A list of indicators of compromise (IoCs) for Agrius is available in the ESET advisory. Its publication follows the discovery of other state-backed Iranian threat actors who remained undetected inside an Albanian government network for 14 months before deploying destructive malware.