January 28, 2023

Warning: sprintf(): Too few arguments in /home/customer/www/cybersecureness.com/public_html/wp-content/themes/chromenews/lib/breadcrumb-trail/inc/breadcrumbs.php on line 253
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry ESET researchers discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer. The group is known for…

ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry

ESET researchers discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer. The group is known for its destructive operations.

In February 2022, Agrius began targeting Israeli HR and IT consulting firms, and users of an Israeli software suite used in the diamond industry. We believe that Agrius operators conducted a supply-chain attack abusing the Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals.

The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did. Instead, it goes right to work wiping data. Victims were observed in South Africa – where reconnaissance began several weeks before Fantasy was deployed – Israel, and Hong Kong.

Key points of this blogpost:

  • Agrius conducted a supply-chain attack abusing an Israeli software suite used in the diamond industry.
  • The group then deployed a new wiper we named Fantasy. Most of its code base comes from Apostle, Agrius’s previous wiper.
  • Along with Fantasy, Agrius also deployed a new lateral movement and Fantasy execution tool that we have named Sandals.
  • Victims include Israeli HR firms, IT consulting companies, and a diamond wholesaler; a South African organization working in the diamond industry; and a jeweler in Hong Kong.

Group overview

Agrius is a newer Iran-aligned group targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper, Apostle, disguised as ransomware, but later modified Apostle into fully fledged ransomware. Agrius exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally and then deploying its malicious payloads.

Campaign overview

On February 20th, 2022 at an organization in the diamond industry in South Africa, Agrius deployed credential harvesting tools, probably in preparation for this campaign. Then, on March 12th, 2022, Agrius launched the wiping attack by deploying Fantasy and Sandals, first to the victim in South Africa and then to victims in Israel and lastly to a victim in Hong Kong.

Victims in Israel include an IT support services company, a diamond wholesaler, and an HR consulting firm. South African victims are from a single organization in the diamond industry, with the Hong Kong victim being a jeweler.

Figure 1. Victim timeline and locations

The campaign lasted less than three hours and within that timeframe ESET customers were already protected with detections identifying Fantasy as a wiper, and blocking its execution. We observed the software developer pushing out clean updates within a matter of hours of the attack. We reached out to the software developer to notify them about a potential compromise, but our enquiries went unanswered.

Preparing for departure

The first tools deployed by Agrius operators to victim systems, through means unknown, were:

  • MiniDump, “a C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS dumps
  • SecretsDump, a Python script that “performs various techniques to dump hashes from [a] remote machine without executing any agent there
  • Host2IP, a custom C#/.NET tool that resolves a hostname to an IP address.

Usernames, passwords, and hostnames collected by these tools are required for Sandals to successfully spread and execute the Fantasy wiper. Agrius operators deployed MiniDump and SecretsDump to this campaign’s first victim on February 20th, 2022, but waited until March 12th, 2022 to deploy Host2IP, Fantasy, and Sandals (consecutively).

Sandals: Igniting the Fantasy (wiper)

Sandals is a 32-bit Windows executable written in C#/.NET. We chose the name because Sandals is an anagram of some of the command line arguments it accepts. It is used to connect to systems in the same network via SMB, to write a batch file to disk that executes the Fantasy wiper, and then run that batch file via PsExec with this command line string:

  • PsExec.exe /accepteula -d -u “” -p “” -s “C:.bat”

The PsExec options have the following meanings:

  • -d – Don’t wait for process to terminate (non-interactive).
  • /accepteula – Suppress display of the license dialog.
  • -s – Run the remote process in the SYSTEM account.

Sandals does not write the Fantasy wiper to remote systems. We believe that the Fantasy wiper is deployed via a supply-chain attack using the software developer’s software update mechanism. This assessment is based on several factors:

  • all victims were customers of the affected software developer;
  • the Fantasy wiper was named in a similar fashion to legitimate versions of the software;
  • all victims executed the Fantasy wiper within a 2.5 hour timeframe, where victims in South Africa were targeted first, then victims in Israel, and finally victims in Hong Kong (we attribute the delay in targeting to time zone differences and a hardcoded check-in time within the legitimate software); and,
  • lastly, the Fantasy wiper was written to, and executed from, %SYSTEM%WindowsTemp, the default temp directory for Windows systems.

Additionally, we believe the victims were already using PsExec, and Agrius operators chose to use PsExec to blend into typical administrative activity on the victims’ machines, and for ease of batch file execution. Table 1 lists the command line arguments accepted by Sandals.

Table 1. Sandals arguments and their descriptions

ArgumentDescriptionRequired
-f A path and filename to a file that contains a list of hostnames that should be targeted.Yes
-u The username that will be used to log into the remote hostname(s) in argument -f.Yes
-p The username that will be used to log into the remote hostname(s) in argument -f.Yes
-l The path and filename of the Fantasy wiper on the remote system that will be executed by the batch file created by Sandals.Yes
-d The location to which Sandals will write the batch file on the remote system. Default location is %WINDOWS%Temp.No
-s The amount of time, in seconds, that Sandals will sleep between writing the batch file to disk and executing. The default is two seconds.No
-a file or
-a random or
-a rsa
If -a is followed by the word file and a path and filename, Sandals uses the encryption key in the supplied file. If -a is followed by rsa or random, Sandals uses the RSACryptoServiceProvider class to generate a public-private key pair with a key size of 2,048.No
-dn Specifies which drive to connect with on a remote system over SMB. Default is C:.No
-ps Location of PsExec on disk. Default is psexec.exe in the current working directory.No
-raIf -ra is supplied at runtime, it sets the variable flag to True (initially set to False). If flag=True, Sandals deletes all files written to disk in the current working directory. If flag=False, Sandals skips the file cleanup step.No

The batch file written to disk by Sandals is named .bat, where the filename is the output of the Guid.NewGuid() method. An example of a Sandals batch file is shown in Figure 2.

Figure 2. Sandals batch file (top, in red) and the decoded command line parameter (bottom, in blue)

The base64 string that follows fantasy35.exe is likely a relic of the execution requirements of Apostle (more details in the Attribution to Agrius section). However, the Fantasy wiper only looks for an argument of 411 and ignores all other runtime input (see the next section for more information).

Fantasy wiper

The Fantasy wiper is also a 32-bit Windows executable written in C#/.NET, so named for its filenames: fantasy45.exe and fantasy35.exe, respectively. Figure 3 depicts the execution flow of the Fantasy wiper.

Figure 3. Fantasy wiper execution flow

Initially, Fantasy creates a mutex to ensure that only one instance is running. It collects a list of fixed drives but excludes the drive where the %WINDOWS% directory exists. Then it enters a for loop iterating over the drive list to build a recursive directory listing, and uses the RNGCryptoServiceProvider.GetBytes method to create a cryptographically strong sequence of random values in a 4096-byte array. If a runtime argument of 411 is supplied to the wiper, the for loop overwrites the contents of every file with the aforementioned byte array using a nested while loop. Otherwise, the for loop only overwrites files with a file extension listed in the Appendix.

Fantasy then assigns a specific timestamp (2037-01-01 00:00:00) to these file timestamp properties:

  • CreationTime
  • LastAccessTime
  • LastWriteTime
  • CreationTimeUtc
  • SetLastAccessTimeUtc
  • LastWriteTimeUtc

and then deletes the file. This is presumably done to make recovery and forensic analysis more difficult.

During the for loop, the Fantasy wiper counts errors within the current directory when attempting to overwrite files. If the number of errors exceeds 50, it writes a batch file, %WINDOWS%Temp.bat, that deletes the directory with the files causing the errors, and then self-deletes. File wiping then resumes in the next directory in the target list.

Once the for loop completes, the Fantasy wiper creates a batch file in %WINDOWS%Temp called registry.bat. The batch file deletes the following registry keys:

  • HKCR.EXE
  • HKCR.dll
  • HKCR*

Then it runs the following to attempt to clear file system cache memory:

  • %windir%system32rundll32.exe advapi32.dll,ProcessIdleTasks

Lastly, registry.bat deletes itself (del %0).

Next, the Fantasy wiper clears all Windows event logs and creates another batch file, system.bat, in %WINDOWS%Temp, that recursively deletes all files on %SYSTEMDRIVE%, attempts to clear file system cache memory, and self-deletes. Then Fantasy sleeps for two minutes before overwriting the system’s Master Boot Record.

Fantasy then writes another batch file, %WINDOWS%Tempremover.bat, that deletes the Fantasy wiper from disk and then deletes itself. Then Fantasy wiper sleeps for 30 seconds before rebooting the system with reason code SHTDN_REASON_MAJOR_OTHER (0x00000000) — Other issue.

It is likely that %SYSTEMDRIVE% recovery is possible. Victims were observed to be back up and running within a matter of hours.

Attribution to Agrius

Much of the code base from Apostle, initially a wiper masquerading as ransomware then updated to actual ransomware, was directly copied to Fantasy and many other functions in Fantasy were only slightly modified from Apostle, a known Agrius tool. However, the overall functionality of Fantasy is that of a wiper without any attempt to masquerade as ransomware. Figure 4 shows the file deletion functions in Fantasy and Apostle, respectively. There are only a few small tweaks between the original function in Apostle and the Fantasy implementation.

Figure 4. File deletion functions from the Fantasy wiper (top, in red) and Apostle ransomware (bottom, in green)

Figure 4. File deletion functions from the Fantasy wiper (top, in red) and Apostle ransomware (bottom, in green)

Figure 5 shows that the directory listing function is almost a direct copy, with only the function variables getting a slight tweak between Apostle and Fantasy.

Figure 5. Directory listing functions from the Fantasy wiper (top, in red) and Apostle ransomware (bottom, in green)

Finally, the GetSubDirectoryFileListRecursive function in Figure 6 is also almost an exact copy.

Figure 6. Recursive directory listing functions from the Fantasy wiper (top, in red) and Apostle ransomware (bottom, in green)

In addition to the code reuse, we can see remnants of the Apostle execution flow in Fantasy. In the original analysis of Apostle, SentinelOne notes that “Proper execution of the ransomware version requires supplying it with a base64 encoded argument containing an XML of an ‘RSAParameters’ object. This argument is passed on and saved as the Public Key used for the encryption process and is most likely generated on a machine owned by the threat actor.” We can see in the batch file in Figure 7, which Sandals creates on remote systems to launch Fantasy, that the same base64-encoded argument containing an XML of an RSAParameters object is passed to Fantasy at runtime. Fantasy, however, does not use this runtime argument.

Figure 7. Sandals passing to Fantasy the same RSAParameters object as was used by Apostle ransomware

Conclusion

Since its discovery in 2021, Agrius has been solely focused on destructive operations. To that end, Agrius operators probably executed a supply-chain attack by targeting an Israeli software company’s software updating mechanisms to deploy Fantasy, its newest wiper, to victims in Israel, Hong Kong, and South Africa. Fantasy is similar in many respects to the previous Agrius wiper, Apostle, that initially masqueraded as ransomware before being rewritten to be actual ransomware. Fantasy makes no effort to disguise itself as ransomware. Agrius operators used a new tool, Sandals, to connect remotely to systems and execute Fantasy.

For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected].

ESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

SHA-1FilenameDetectionDescription
1A62031BBB2C3F55D44F59917FD32E4ED2041224fantasy35.exeMSIL/KillDisk.IFantasy wiper.
820AD7E30B4C54692D07B29361AECD0BB14DF3BEfantasy45.exeMSIL/KillDisk.IFantasy wiper.
1AAE62ACEE3C04A6728F9EDC3756FABD6E342252host2ip.execleanResolves a hostname to an IP address.
5485C627922A71B04D4C78FBC25985CDB163313BMiniDump.exeMSIL/Riskware.LsassDumper.HImplementation of Mimikatz minidump that dumps credentials from LSASS.
DB11CBFFE30E0094D6DE48259C5A919C1EB57108registry.batBAT/Agent.NRGBatch file that wipes some registry keys and is dropped and executed by the Fantasy wiper.
3228E6BC8C738781176E65EBBC0EB52020A44866secretsdump.pyPython/Impacket.APython script that dumps credential hashes.
B3B1EDD6B80AF0CDADADD1EE1448056E6E1B3274spchost.exeMSIL/Agent.XHSandals lateral movement tool and Fantasy spreader.

MITRE ATT&CK techniques

This table was built using version 12 of the MITRE ATT&CK framework.

TacticIDNameDescription
Resource DevelopmentT1587Develop CapabilitiesAgrius builds utility tools to use during an active exploitation process.
T1587.001Develop Capabilities: MalwareAgrius builds custom malware including wipers (Fantasy) and lateral movement tools (Sandals).
Initial AccessT1078.002Valid Accounts: Domain AccountsAgrius operators attempted to capture cached credentials and then use them for lateral movement.
T1078.003Valid Accounts: Local AccountsAgrius operators attempted to use cached credentials from local accounts to gain initial access to additional systems within an internal network.
ExecutionT1059.003Command and Scripting Interpreter: Windows Command ShellFantasy and Sandals both use batch files that run via the Windows command shell.
Privilege EscalationT1134Access Token ManipulationFantasy uses the LookupPrivilegeValue and AdjustTokenPrivilege APIs in advapi32.dll to grant its process token the SeShutdownPrivilege to reboot Windows.
Defense EvasionT1070.006Indicator Removal on Host: TimestompAgrius operators timestomped the compilation timestamps of Fantasy and Sandals.
Credential AccessT1003OS Credential DumpingAgrius operators used several tools to dump OS credentials for use in lateral movement.
DiscoveryT1135Network Share DiscoveryAgrius operators used cached credentials to check for access to other systems within an internal network.
Lateral MovementT1021.002Remote Services: SMB/Windows Admin SharesAgrius operators used cached credentials to connect over SMB to systems within an exploited internal network.
T1570Lateral Tool TransferAgrius operators used Sandals to push batch files over SMB to other systems within an internal network.
ImpactT1485Data DestructionThe Fantasy wiper overwrites data in files and then deletes the files.
T1561.002Disk WipeFantasy wipes the MBR of the Windows drive and attempts to wipe the OS partition.
T1561.001Disk Wipe: Disk Content WipeFantasy wipes all disk contents from non-Windows drives that are fixed drives.
T1529System Shutdown/RebootFantasy reboots the system after completing its disk and data wiping payloads.

Appendix

File extensions (682) targeted by Fantasy wiper when not targeting all file extensions. File extensions highlighted in yellow (68) are common filename extensions in Windows. Notably absent are file extensions dll and sys.

$$$blenddrwjspnyfqualsoftcodetdb
$dbblend1dsbkb2oabquicken2015backuptex
001blend2dsskbxobjquicken2016backuptga
002blobdtdkc2obkquicken2017backupthm
003bm3dwgkdbodbquickenbackuptib
113bmkdxbkdbxodcqv~tibkp
3dmbookexportdxfkdcodfr3dtif
3dsbpadxgkeyodgraftig
3frbpbem1kfodmrartis
3g2bpmepkkpdxodprattlg
3gpbpnepslayoutodsrawtmp
3prbpserbsqllbfodtrbtmr
73bbpwerflcboebrbctor
7zbsaesmldabakoggrbftrn
__abupexelitemodoilrbkttbk
__bcexfllxoldrbstxt
abcaafbclnkonepkgrdbuci
ab4casfbfltxorfre4upk
abacbkfbkluaorirgss3av2i
abbucbsfbulvlorigrimvb
abfcbufbwmostrmvbk
abkcdffdbm2otgrmbakvbm
abucdrffm3uothrmgbvbox-prev
abu1cdr3ffdm4aotproflvcf
accdbcdr4fffm4votsrrrvdf
accdecdr5fhmapottrtfvfs0
accdrcdr6fhdmaxoyxrw2vmdk
accdtcdrwfhfmbfp12rwlvob
achcdxflambkp7brwzvpcbackup
acpce2flatmbwp7cs3dbvpk
acrcelflkamcmetapabsafenotebackupvpp_pc
actcenon~flkbmdbpagessas7bdatvrb
adbcerflvmdbackuppaksavvtf
adicfpfmbmdcpaqsayw01
adscfrforgemddatapassbw3x
aeacgmfosmdfpatsbbwallet
aficibfpkmdinfopbasbswalletx
agdlck9fpsxmefpbbsbuwar
aiclassfpxmempbdsdOwav
aitclsfshmenupbfsdawb2
alcmfftmbmfwpbjsdcwbb
apjcmtfulmigpblsdfwbcat
apkconfigfwbackupmkvpbx5scriptsidwbk
arccpifxgmlxpbxscriptsiddwbx
arch00cppfzammwpcdsidnwin
arwcr2fzbmoneywellpctsiewjf
as4crawgb1mospdbsimwma
asdcrdsgb2movpddsiswmo
asfcrtgbpmp3pdfskbwmv
ashbakcrwgdbmp4pefsldmwotreplay
asmcsghompbpemsldxwpb
asmxcsdghsmpegpfislmwpd
aspcshgraympgpfxslnwps
aspxcslgreympqgephpsmewspak
assetcsmgrymrwphp5sn1wxwanam
asvcssgs-bckmrwrefphtmlsn2x
asvxcsvgzmsgpk7snax11
asxd3dbsphmsipkpasssnsx3f
ateda0hbkmsimplsnxxbk
atidachkdbmv_plcspfxf
avidashkxmydplcspgxis
awgdashhplgmynotesbackuppngspixla
ba6daziphppnb7potspsxlam
ba7dbhtmnbapotmsqbxlk
ba8db-journalhtm1nbakpotxsqlxlm
ba9db0htmlnbdppamsqlitexlr
bacdb3hvplnbdppssqlite3xls
backdbaibanknbfppsmsqlitedbxlsb
backupdbfibdnbippsxsr2xlsm
backup1dbkibknbkpptsrfxlsx
backupdbdbsibznbspptmsrrxlt
bakdbxicbunbupptxsrtxltm
bak2dc2icfncfpqb-backupsrwxltx
bak3dcricxsncoprfst4xlw
bakxdcsidxndprvst6xml
bak~dddiifndapsst7ycbcra
bankddociiqnddpsast8yrcbck
barddrwincpasnefpsafe3stdyuv
batddsinddnfbpsdstgzbfx
bayderindexnfcpskstizip
bbbdesinprogressnk2pspimagestwztmp
bbzdescipdnoppststx~cw
bc6designisonoyptbsty
bc7dgcitdbnpfptxsum
bckdimitlnpspvcsv$
bckpdivxitmnrbakpvhdsv2i
bcmdiyiv2inrspysvg
bdbdjvuiwdnrwqbaswf
bffdmpiwins2qbbsxc
bgtdnaj01ns3qbksxd
bifdngjarns4qbmsxg
bifxdocjavansdqbmbsxi
bigdocmjbknsfqbmdsxm
bikdocxjdcnsgqbrsxw
bk1dotjpanshqbwsyncdb
bkcdotmjpentlqbxt12
bkfdotxjpegnwbqbyt13
bkpdovjpgnwbakqdftar
bkupdpbjpsnx2qictax
bkzdrfjsnxlqsftbk

Source