Iranian hackers accused of targeting diamond industry with wiper malware

Hackers allegedly connected to the Iranian government have been accused of targeting diamond companies in South Africa, Israel and Hong Kong with a wiper malware built to destroy data.  

Researchers from ESET attributed the wiper tool – named Fantasy – to the Agrius APT group, which other researchers have indicated has ties to Iran’s government. ESET said the group is a newer Iran-aligned group targeting victims primarily in Israel and the United Arab Emirates since 2020.

Their latest campaign began in February 2022 and has targeted Israeli HR and IT consulting firms as well as users of an Israeli software suite used in the diamond industry. 

“We believe that Agrius operators conducted a supply-chain attack abusing the Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals,” the researchers said. 

The campaign began on February 20, when the group used credential harvesting tools on an unnamed South African company in the diamond industry. Usernames, passwords, and hostnames were stolen during this phase of the campaign. 

By March 12, the group launched the Fantasy wiper on the South African company as well as the Israeli firms. A jeweler in Hong Kong was also attacked with the wiper. 

ESET said the campaign lasted less than three hours and that they were able to block the wiper from destroying data. The researchers found that the Fantasy wiper is deployed through a supply-chain attack exploiting an unknown software developer’s software update mechanism.

“We observed the software developer pushing out clean updates within a matter of hours of the attack. We reached out to the software developer to notify them about a potential compromise, but our enquiries went unanswered,” the researchers said. 

ESET made their assessment that the wiper was tied to a software update mechanism because all of the victims were customers of the affected software developer and the wiper was named in a way that resembled legitimate versions of the software.

Like most hacking groups, Agrius exploits known vulnerabilities in internet-facing applications to move laterally around a network before deploying its wiper malware. 

Analysis of the wiper tool revealed that it is built on the back of the Apostle wiper, another tool the group used in past years that masqueraded as ransomware. 

Cybersecurity firm Sentinel Labs released a report last year examining the Apostle ransomware, discovering that it was instead simply a wiper that destroyed data and did not hold it hostage. 

The Fantasy wiper abandons Apostle’s ransomware trapping and “goes right to work wiping data,” according to ESET, which noted that much of the code base of Fantasy comes directly from Apostle with only a few small tweaks. 

“Since its discovery in 2021, Agrius has been solely focused on destructive operations. To that end, Agrius operators probably executed a supply-chain attack by targeting an Israeli software company’s software updating mechanisms to deploy Fantasy, its newest wiper, to victims in Israel, Hong Kong, and South Africa,” the researchers said. 

“Fantasy is similar in many respects to the previous Agrius wiper, Apostle, that initially masqueraded as ransomware before being rewritten to be actual ransomware. Fantasy makes no effort to disguise itself as ransomware.”

Iranian-linked hacking groups have a long history of deploying data wipers and hiding data-wiping attacks as ransomware. Previous cases include the Shamoon, ZeroCleare, and Dustman malware.