Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial access via exploiting vulnerable internet-facing web servers. ‘The attackers gained initial access to the environment by exploiting vulnerable internet facing web servers.’
• [T1505.003] Web Shell – Deployment and use of ASPXSpy-like web shells (Uploader.aspx, xcopy.aspx) to foothold and move laterally. ‘The web shells that threat actors used in the described attack… variations to the naming of functions.’
• [T1046] Network Service Discovery – Reconnaissance using Nbtscan, WinEggDrop, and NimScan to map the network. ‘Nbtscan, renamed as systems.txt, to scan the network for existing hosts.’
• [T1046] Network Service Discovery – Further reconnaissance with WinEggDrop and NimScan for port scanning. ‘WinEggDrop… to scan particular hosts of interest.’
• [T1046] Network Service Discovery – Additional port scanning reference with NimScan. ‘NimScan is another publicly available port scanner that the attackers used in the attack.’
• [T1003] Credential Dumping – Obtaining admin credentials via Mimikatz, SMB password spraying/brute force, and SAM dumping. ‘Mimikatz (filename: Mimi.exe)… Dumping the SAM file.’
• [T1021.004] SSH – Lateral movement using Plink to create remote tunnels and connect to remote machines. ‘Plink (renamed as systems.exe) to create remote tunneling and establish connections to remote machines.’
• [T1041] Exfiltration Over C2 Channel – Exfiltrating data to C2 servers using WinSCP and PuTTY. ‘they exfiltrated this information to the attackers’ C2 servers, using different publicly available tools such as WinSCP and Putty.’
• [T1560.001] Archive Collected Data – Archiving data with 7za.exe prior to exfiltration. ‘7za.exe to archive the extracted data in preparation for exfiltration.’
• [T1485] Data Destruction – Wiper payloads (MultiLayer, BFG Agonizer) overwrite data to prevent recovery. ‘Locally stored files are corrupted and overwritten with random data to thwart file recovery efforts.’
• [T1070.006] Timestomp – Masquerade by altering file timestamps. ‘The malware timestomps according to the file system.’
• [T1070.001] Clear Windows Event Logs – MultiLayer deletes event logs via a scheduled task. ‘DeleteLogs() function to create a scheduled task that launches a batch script… removes all the Windows Event Logs.’
• [T1107] File Deletion – Self-deletion and removal of its components. ‘SelfDelete()’ and batch-based removal of traces.
• [T1562.001] Impair Defenses – Anti-hooking and BYOVD driver techniques to bypass security tools. ‘anti-hooking techniques… BYOVD technique.’