Researchers say they have discovered never-before-seen disk-wiping malware that disguises itself as ransomware while unleashing devastating attacks on Israeli targets.
Apostel, as researchers at security firm SentinelOne call the malware, was initially deployed in an attempt to erase data but failed, likely due to a logical flaw in the code. The internal name the developers gave it was ‘wiper action’. A later version fixed the bug and gave the malware full ransomware behavior, including the ability to leave notes demanding that victims pay a ransom in exchange for a decryption key.
A clear line
In a post published Tuesday, SentinelOne researchers said they had determined with great confidence, based on the code and the servers Apostel reported to, that the malware was being used by a newly discovered group with ties to the Iranian government. Although a ransomware note recovered by the researchers suggested that Apostle had been used against a critical facility in the United Arab Emirates, its primary target was Israel.
“Using ransomware as a disruptive tool is usually difficult to prove because it is difficult to determine a threat actor’s intentions,” the report said. “Analysis of the Apostle malware provides a rare insight into these types of attacks, drawing a clear line between what started out as a wiper malware and a fully operational ransomware.”
The researchers call the new hacking group Agrius. SentinelOne first saw the group use Apostle as a disk wiper, although a bug in the malware prevented it, most likely due to a logic error in the code. Agrius then fell back on Deadwood, a wiper that had already been deployed against a target in Saudi Arabia in 2019.
Agrius’ new version of Apostle is full-fledged ransomware.
“We believe that the implementation of the encryption functionality is there to mask its true intent – to destroy victim data,” the message said. “This statement is supported by an early version of Apostle that the attackers internally referred to as ‘wiper action’.”
Apostle has major code overlap with a backdoor called IPSec Helper, which Agrius also uses. IPSec Helper receives a large number of commands, such as downloading and executing an executable file, which are issued by the attacker’s control server. Both Apostle and IPSec Helper are written in the .Net language.
Agrius also uses web shells to allow attackers to move laterally within a compromised network. To hide their IP addresses, members use the ProtonVPN.
Affinity with wipers
Iran-sponsored hackers already had an affinity for disk wipers. In 2012, self-replicating malware ripped through the network of Saudi Aramco, based in Saudi Arabia, the world’s largest exporter of crude oil, permanently destroying the hard drives of more than 30,000 workstations. Researchers later identified the wiper worm as Shamoon and said it was the work of Iran.
In 2016, Shamoon reappeared in a campaign that hit multiple organizations in Saudi Arabia, including several government agencies. Three years later, researchers discovered a new Iranian wiper called ZeroCleare.
Apostle isn’t the first eraser disguised as ransomware. NotPetya, the worm that has caused billions of dollars in damage worldwide, also pretended to be ransomware until researchers determined it was created by Russian government-backed hackers to destabilize Ukraine.
SentinelOne Principal Threat Researcher Juan Andres Guerrero-Saade said in an interview that malware like Apostle illustrates the interplay that often occurs between financially motivated cybercriminals and national hackers.
“The threat ecosystem continues to evolve, with attackers developing different techniques to achieve their goals,” he said. “We see cybercriminal gangs learning from the better-equipped nation-state groups. Similarly, the nation-state groups are borrowing from criminal gangs — disguising their disruptive attacks under the guise of ransomware with no indication of whether victims are actually getting their files back in exchange for ransom.”