Iranian hacking group Agrius launch data wiper malware


As a final stage in attacks, the Agrius hacking organization has resorted to using a mixture of wiper and ransomware capability that claims to hold data for ransom.


Agrius was first discovered in attacks on Israeli targets in 2020, according to SentinelOne who studied the group’s most recent movements.




The organization deploys either a damaging wiper or a proprietary wiper-turned-ransomware variation using a combination of its own bespoke toolsets and readily available offensive security technologies.



Unlike most ransomware groups, Agrius does not appear to be motivated solely by financial gain; rather, the use of ransomware appears to be a new addition to attacks aimed at cyberespionage and devastation.


Agrius pretended to have stolen and encrypted information to extort victims in specific attacks detected by SentinelOne when just a wiper was deployed, but the information had already been deleted by the wiper.


Agrius allegedly disguised its activities as a ransomware attack while carrying out devastating attacks against Israeli targets, according to the researchers.



Deadwood (also known as Detbosit) is a destructive wiper malware variant included in Agrius’ toolkit.


Wipers have been linked to both APT33 and APT34, including Deadwood, Shamoon, and ZeroCleare.



Agrius also uses a custom.NET backdoor called IPsec Helper to maintain persistence and establish a connection with a command-and-control (C2) server during attacks. In addition, the group will release Apostle, a novel.NET wiper.


According to SentinelOne, Agrius has no firm affiliations to other well-known threat groups, but its interests in Iranian affairs, the usage of web shells with linkages to Iranian-built variations, and the employment of wipers in the first place — an attack methodology related to Iranian APTs as far back as 2002 — indicate the group is most likely Iranian.



Also read: Bose Data Breach: suffered a major ransomware attack


You might also like: Domino’s data breach: Users’ data available on dark web


You might also like: Air India Data Breach: Over 4.5 millions customers’ data impacted


You might also like: E-commerce giant Mercari data breach: several data exposed