In the latest cyber-espionage developments, Iranian hacking group Agrius has been found to be adapting data-wiping attack vectors by attacks on Israeli targets, all the while pretending to be ransomware attacks.

Malicious Agrius data-wiper masquerades as ransomware attack:

Security organization SentinelOne has newly detected that the Agrius cybercriminal gang, which is a nation-state affiliated with Iran has been perpetrating these attacks since at least December 2020.

According to the security researchers, at the primary analysis phase, what appears to be a ransomware attack actually uncovers new varieties of the data-wipers that were dispensed against Israeli targets.

The pretend-ransomware attack is done on purpose by the Agrius cybercriminal group which the security experts attribute as an uncommon trait for financially motivated groups.

Also read,

The mode of operation of Agrius sites via deploying a .NET malware called Apostle has been architectured and evolved to become a fully functioning ransomware.

It has been analyzed to have superseded its former wiper abilities while certain attacks have been done using a supplementary wiper named DEADWOOD or Detbosit following a logic defect in its primary versions of Apostle prevented the data from being destroyed.

In addition, the Agrius actors drop a .NET implant called IPsec Helper that can be used to exfiltrate data or deploy additional malware. What’s more, the threat actor’s tactics have also witnessed a shift from espionage to demanding ransoms from its victims to recover access to encrypted data, only to have them actually destroyed in a wiping attack.

Agrius uses ProtonVPN for staying anonymous while leveraging 1-day vulnerabilities in web-based applications. This is done to obtain solid ground and then deliver ASPXSpy web shells to maintain remote access to vulnerable systems and run arbitrary commands.

Links to Israeli government?

Experts are of the opinion that the newest detection supplements evidence that state-sponsored malicious entities linked to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.