Threat Research

Fantasy – a new Agrius wiper deployed through a supply-chain attack

Securonix

ESET researchers uncovered a new wiper called Fantasy and its execution tool Sandals, attributed to the Agrius APT, deployed through a supply-chain compromise against an Israeli software developer. The operation targeted Israeli HR/IT firms, diamond-industry software users, and victims in South Africa and Hong Kong, with a rapid three-hour campaign that wiped data instead of masquerading as ransomware. #FantasyWiper #Agrius #Sandals #Apostle #DiamondIndustry #Israel #SouthAfrica #HongKong

Keypoints

  • Agrius conducted a supply-chain attack exploiting an Israeli software developer’s update mechanism.
  • The group introduced Fantasy, a wiper built on Apostle’s codebase, and a new lateral-movement tool named Sandals.
  • Fantasy does not disguise itself as ransomware and wipes data directly, unlike Apostle’s original approach.
  • Sandals facilitates remote execution and deployment of Fantasy via SMB and PsExec, including a batch-file workflow.
  • Victims include Israeli HR/IT firms, a diamond industry software user, a South African diamond organization, and a Hong Kong jeweler.
  • The attack timeline shows credential-harvesting tools deployed on Feb 20, 2022 and wiper deployment on Mar 12, 2022, targeting multiple regions within a few hours.

MITRE Techniques

  • [T1587] Develop Capabilities – Agrius builds utility tools to use during an active exploitation process. ‘Agrius builds utility tools to use during an active exploitation process.’
  • [T1587.001] Develop Capabilities: Malware – Agrius builds custom malware including wipers (Fantasy) and lateral movement tools (Sandals). ‘Agrius builds custom malware including wipers (Fantasy) and lateral movement tools (Sandals).’
  • [T1078.002] Valid Accounts: Domain Accounts – Agrius operators attempted to capture cached credentials and then use them for lateral movement. ‘Agrius operators attempted to capture cached credentials and then use them for lateral movement.’
  • [T1078.003] Valid Accounts: Local Accounts – Agrius operators attempted to use cached credentials from local accounts to gain initial access to additional systems within an internal network. ‘Agrius operators attempted to use cached credentials from local accounts to gain initial access to additional systems within an internal network.’
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Fantasy and Sandals both use batch files that run via the Windows command shell. ‘Fantasy and Sandals both use batch files that run via the Windows command shell.’
  • [T1134] Access Token Manipulation – Fantasy uses the LookupPrivilegeValue and AdjustTokenPrivilege APIs in advapi32.dll to grant its process token the SeShutdownPrivilege to reboot Windows. ‘…grant its process token the SeShutdownPrivilege to reboot Windows.’
  • [T1070.006] Indicator Removal on Host: Timestomp – Agrius operators timestomped the compilation timestamps of Fantasy and Sandals. ‘timestomped the compilation timestamps of Fantasy and Sandals.’
  • [T1003] OS Credential Dumping – Agrius operators used several tools to dump OS credentials for use in lateral movement. ‘used several tools to dump OS credentials for use in lateral movement.’
  • [T1135] Network Share Discovery – Agrius operators used cached credentials to check for access to other systems within an internal network. ‘used cached credentials to check for access to other systems within an internal network.’
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – Agrius operators used cached credentials to connect over SMB to systems within an exploited internal network. ‘connect over SMB to systems within an exploited internal network.’
  • [T1570] Lateral Tool Transfer – Agrius operators used Sandals to push batch files over SMB to other systems within an internal network. ‘push batch files over SMB to other systems within an internal network.’
  • [T1485] Data Destruction – The Fantasy wiper overwrites data in files and then deletes the files. ‘overwrites data in files and then deletes the files.’
  • [T1561.002] Disk Wipe – Fantasy wipes the MBR of the Windows drive and attempts to wipe the OS partition. ‘wipes the MBR of the Windows drive and attempts to wipe the OS partition.’
  • [T1561.001] Disk Wipe: Disk Content Wipe – Fantasy wipes all disk contents from non-Windows drives that are fixed drives. ‘wipes all disk contents from non-Windows drives that are fixed drives.’
  • [T1529] System Shutdown/Reboot – Fantasy reboots the system after completing its disk and data wiping payloads. ‘reboots the system after completing its disk and data wiping payloads.’

Indicators of Compromise

  • [SHA-1] – Fantasy-related artifacts observed in the attack. 1A62031BBB2C3F55D44F59917FD32E4ED2041224, 820AD7E30B4C54692D07B29361AECD0BB14DF3BE, and 4 more hashes
  • [Filename] – Fantasy wiper executables discovered in the campaign. fantasy35.exe, fantasy45.exe

Read more: https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/