Israeli higher education and technology sectors have fallen victim to a series of highly sophisticated cyber attacks initiated in January 2023, with the perpetrators deploying previously undocumented wiper malware in their attempts to compromise sensitive data.
These intrusions, continuing until as recently as October, have been traced back to an Iranian nation-state hacking group known as Agonizing Serpens, which operates under various aliases including Agrius, BlackShadow, and Pink Sandstorm (formerly Americium).
A recent report from Palo Alto Networks Unit 42 revealed that the attacks aimed at stealing critical information such as personally identifiable information (PII) and intellectual property. Once the attackers successfully obtained the targeted data, they utilized a variety of wipers to erase their tracks and render the infected endpoints inoperable.
The deployed wipers include three distinct novel variants: MultiLayer, PartialWasher, and BFG Agonizer, along with a customized tool named Sqlextractor designed specifically to extract information from database servers.
Agonizing Serpens, operational since at least December 2020, has a history of launching wiper attacks against Israeli entities. In a previous incident this May, cybersecurity firm Check Point identified the group’s use of a ransomware strain called Moneybird in attacks targeting the country.
The latest wave of attacks involved the exploitation of vulnerable internet-facing web servers as initial access points. The attackers then deployed web shells and conducted extensive reconnaissance of victim networks, stealing credentials with administrative privileges in the process.
Following a lateral movement phase, the attackers utilized a combination of public and custom tools like Sqlextractor, WinSCP, and PuTTY for data exfiltration. The final step involved delivering the wiper malware:
- MultiLayer: A .NET malware that systematically deletes files or corrupts them with random data, making recovery efforts futile and rendering the system unusable by wiping the boot sector.
- PartialWasher: A C++-based malware designed to scan drives and wipe specified folders along with their subfolders.
- BFG Agonizer: This malware heavily relies on an open-source project called CRYLINE-v5.0 to carry out its malicious activities.
The connection to Agrius was established through multiple code overlaps with other malware families such as Apostle, IPsec Helper, and Fantasy, all of which have been previously used by the group.
“It is evident that the Agonizing Serpens APT group has recently enhanced its capabilities, investing significant efforts and resources to bypass Endpoint Detection and Response (EDR) systems and other security measures,” stated researchers from Unit 42. “To achieve this, they have been alternating between well-known proof-of-concept (PoC) and penetration testing tools as well as utilizing custom tools in their operations.”