Posted on May 27, 2021 at 9:51 AM
Researchers at cybersecurity firm SentinelOne have discovered a new disk-wiping malware that disguises itself as ransomware to attack Israeli organizations.
The malware, dubbed “Apostle” by the researchers, was first used in the wide to wipe data but was not successful in the first attempt. The failure was mainly because of a logic flaw in its code.
However, the vulnerability in the malware was fixed in a later version as the malware developed full-fledged ransomware behavior.
This included the capability to drop notes for the victims, demanding that the victims meet the ransom demands if they want a decryption key.
The malware group has ties with the Iranian government
SentinelOne, in a recent post, stated that based on the servers Apostle reported to and the code used, the malware was being utilized by a newly formed malware group. According to the researchers, the group could be linked with the Iranian government.
Also, Apostle’s main target is Israel, although a ransomware note the researchers discovered showed that the malware has been utilized to attack a critical facility in the United Arab Emirates.
The researchers’ report noted that it is always difficult to understand the intentions of a threat actor. As a result, it’s always difficult to prove the usage of ransomware as a disruptive tool.
But after analyzing Apostle, it provided new insight into such types of attack. According to the researchers, the campaign initially started as a wiper malware but has since grown to become fully operational ransomware.
SentinelOne calls the new threat actors Agrius. At the initial stage, SentinelOne said the group first started using Apostle as a disk wiper. However, due to the flaw, Aguis went back to Deadwood, a previously existing wiper deployed to target Saudi Arabia in 2019.
But the group entered into serious work to develop Apostle and make it full-fledged ransomware.
However, the researchers stated that the group implemented an encryption functionality just to cover its real intentions.
While the malware is built to destroy victims’ data, it disguises itself as ransomware, SentinelOne stated.
Apostle has been inscribed with a key code overlap using a backdoor, referred to as IPSec Helper, which is also utilized by Agrius.
The threat actors also use Webshells
The backdoor receives several commands, which include downloading and executing an executable file deployed from the threat actor’s control server. Interestingly, both IPSec Helper and Apostle were written in the .Net language.
Agrius also utilizes webshells to enable the threat actors to move literally within an infiltrated network. It has also been discovered that members of the group use the ProtonVPN to hide their IP addresses when launching an attack.
The hackers seem to have already developed a similar malware in the past. In 2012, servers at Saudi Arabia-based Aramco were hit by self-replicating malware. The impact of the hit was huge, as it permanently wiped out the hard drives of over 30,000 workstations.
Few days after the attack, security researchers later discovered that the wiper worm responsible for the attack was Shamoon and linked it to the Iranian government.
In 2016, Shamoon was spotted again, this time in Saudi Arabia. The malware was deployed in a campaign that hit multiple organizations in the country, including several government agencies. In 2019, another Iranian wiper called ZeroCleare was discovered by researchers.
Apostle is not the first disguising malware
SentinelOne researchers have noted that another malware disguising as ransomware has existed in the past. The notorious NotPetya worm that caused organizations to lose billions of dollars was also masqueraded as ransomware.
The malware has been hiding its real operations until researchers discovered it was run by the Russian-backed hackers to destabilize Ukraine.
In a recent interview, principal threat researchers at SentinelOne, Juan Andres Guerrero-Saade, stated that malware such as Apostle shows the difference in motive between nation-state hackers and other financially motivated hackers.
He added that the hacking space has evolved, as threat actors are utilizing different strategies to hit their targets. As a result, organizations should also improve in their threat defense mechanisms if they don’t want hackers to run them over.