Researchers on Tuesday disclosed a new espionage campaign that resorts to destructive data-wiping attacks targeting Israeli entities at least since December 2020 that camouflage the malicious activity as ransomware extortions.
Cybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker “Agrius.”
“An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,” the researchers said. “The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups.”
The group’s modus operandi involves deploying a custom .NET malware called Apostle that has evolved to become fully functional ransomware, supplanting its prior wiper capabilities, while some of the attacks have been carried out using a second wiper named DEADWOOD (aka Detbosit) after a logic flaw in early versions of Apostle prevented data from being erased.
In addition, the Agrius actors drop a .NET implant called IPsec Helper that can be used to exfiltrate data or deploy…