Detecting Fantasy Data Wiper Leveraged by Agrius APT in a Supply-Chain Attack

Security experts from ESET revealed a destructive operation launched by Iran-backed Agrius APT to target organizations with a novel data wiper. Dubbed Fantasy, the destructive malware has been deployed via a coordinated supply-chain attack abusing the software updates of an unnamed Israeli vendor. Among the victims are HR and IT consulting company, diamond wholesaler, and jewelery vendor in Israel, Sounth Africa, and Hong Kong.

Detect Fantasy Wiper Attacks by Agrius APT

Data wipers malware are intentionally used to destroy data on the targeted systems causing major digital and business interruptions. To help security practitioners timely identify potential Fantasy wiper attacks, SOC Prime Platform aggregates a Sigma rule crafter by our keen Threat Bounty developer Aung Kyaw Min Naing

Possible Agrius APT Group Activity By Detection of Deleted registry Keys [via_registry_event]

The rule below detects the deletion of registry keys by the Fantasy wiper. It is compatible with 19 SIEM, EDR, BDP, and XDR solutions and are mapped to the latest MITRE ATT&CK® framework v12 addressing the Impact tactic and corresponding Data Destruction (T1485) technique. 

Aspiring threat researchers looking for ways to contribute to collective cyber defense are welcome to join the ranks of the Threat Bounty Program crowdsourced initiative. Write detection code backed by Sigma and ATT&CK, share your expertise with industry peers, and get bounty for the quality and speed of your work while constantly improving your Detection Engineering skills.

To date, SOC Prime Platform offers a variety of Sigma rules detecting tools and attack techniques associated with APT collectives. Hit the Explore Detections button to check the detection algorithms accompanied by the corresponding ATT&CK references, threat intelligence links, and other relevant metadata.

Explore Detections

Fantasy Data Wiper: Analyzing the Latest Campaign by Agrius APT

Being active since at least 2020, Iran-affiliated Agrius APT is a relatively new player in the malicious arena concentrating its efforts primarily on the Middle East region. The group came into the spotlight with an Apostle wiper targeting entities within Israel and the United Arab Emirates. Apostle has been initially disguised as ransomware, covertly destroying the victim’s data but in time the malware has been modified to act as an actual ransomware strain. 

According to the latest inquiry by ESET, Agrius APT now switched to a new data wiper called Fantasy to proceed with destructive operations. Being an Apostle successor, Fantasy doesn’t obtain any encryption capabilities but acts purely as a wiper. Upon execution, it overwrites the data on all drives and directories except the Windows folder and then destroys files to prevent recovery attempts. Also, Fantasy deletes registry keys in HKCR, clears WinEventLogs, and blanks the Windows SystemDrive folder. Finally, after 2-minute sleep mode, the wiper overwrites the master boot record, deletes itself, and reboots the system. 

The campaign aimed at Fantasy wiper deployments started in February 2022 after adversaries breached the South African company in the diamond industry to dump credentials. Further, Agrius APT launched a supply-chain attack abusing the Israeli software vendor to drop the novel Fantasy wiper and a new lateral movement and wiper execution tool Sandals. In February 2022, an Israeli HR and IT consulting firm fell victim to the attack as well as all users of the Israeli software suite widely adopted in the diamond industry. By March 2022, the Fantasy wiper has been deployed in several companies in Israel, Hong Kong, and South Africa. 

Growing volumes of cyber attacks by state-backed APT groups and their increasing sophistication require ultra-responsiveness from cyber defenders. Browse socprime.com to search for Sigma rules against current and emerging threats, including malware affecting cryptocurrency users, and reach over 9,000 ideas for Detection Engineering and Threat Hunting along with comprehensive cyber threat context. Or upgrade to On Demand as part of our Cyber Monday deal valid through December, 31, and get up to 200 premium Sigma rules of your choice in addition to the detection stack available in your chosen package.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts