Iranian Threat Actor Launches New 'Fantasy' Data Wiper
Category: Threat Actor Activity | Industries: Consulting, Retail, Technology | Level: Tactical | Source: ESET
The Iranian threat group, Agrius added a data wiper, dubbed "Fantasy" to their attack arsenal. This new destructive malware has been deployed as the final payload in supply-chain attacks against organizations in Hong Kong, Israel, and South Africa. Researchers from ESET report this discovery following campaigns initiated by Agrius starting in February 2022, "targeting Israeli HR and IT consulting firms, and users of an Israeli software suite used in the diamond industry. We believe that Agrius operators conducted a supply-chain attack abusing the Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals."
The data wiper does not attempt to masquerade itself as ransomware. Upon its execution it will overwrite files and the master record, although it's not entirely devastating as ESET claims, victims were able to reverse damages caused by the wiper. "It is likely that %SYSTEMDRIVE% recovery is possible. Victims were observed to be back up and running within a matter of hours." ESET was also, able to prevent the execution of Fantasy wiper from a campaign lasting under three hours. However, the dwell time between the adversary's initial actions for reconnaissance and credential access to wiper execution was just under three weeks. "Agrius operators deployed MiniDump and SecretsDump to this campaign’s first victim on February 20th, 2022, but waited until March 12th, 2022, to deploy Host2IP, Fantasy, and Sandals (consecutively)." Their custom tools were used to help propagate the spread of their Fantasy wiper in the victim's environment.
Anvilogic Use Cases:
- Mimikatz Execution
- Python Execution
- pypykatz commands