Security researchers warn that an Iran-based threat actor has launched cyberespionage attacks against Iranian organizations from the education and technology sectors since the beginning of the year. The attacks have a destructive component as the actor deploys data wipers to cover their tracks, leaving impacted systems unusable.
“Our investigation revealed the perpetrators of the attacks have strong connections to an Iranian-backed APT group Unit 42 tracks as Agonizing Serpens (aka Agrius, BlackShadow, Pink Sandstorm, DEV-0022),” researchers from Palo Alto Networks said in a report. According to the company, the wave of attacks started in January and continued as of last month.
Agonizing Serpens’ activities date back in 2020 when it posed as a ransomware group and even left fake ransom notes on computers. However, the group’s intentions have always been to cause reputational damage and disrupt business continuity for its victims.
The group first steals personally identifiable information (PII) and intellectual property from databases it finds on compromised systems and releases the sensitive data on social media and Telegram channels. It then deploys wiper malware to disrupt as many systems as possible. The latest campaign observed this year shows that Agonizing Serpens has developed new custom malware tools to evade detection by security products.
From web shells to lateral movement
The Palo Alto researchers investigated a compromise in October where the group got inside a network by exploiting vulnerable web servers and then deployed web shells — scripts that provide attackers with the ability to execute commands. The web shells were almost identical to ones used by Agonizing Serpens in past attacks, and they appear to be variations of a publicly available web shell called ASPXSpy.
The access provided by the scripts allowed the attackers to perform reconnaissance on the network. To do this they used multiple publicly available network and system scanners including Nbtscan, WinEggDrop and NimScan.
To obtain administrative credentials the attackers deployed Mimikatz, an open-source tool for extracting local credentials. They dumped the Windows Security Accounts Manager (SAM) and tried to guess SMB credentials by using password spraying and other brute force techniques. Once credentials were obtained, the attackers used PuTTY Link (plink), a network connection tool, to access other systems.
Data exfiltration and system wiping
In the next stage of the compromise, the attacker deployed the first custom tool called sqlextractor. As its name implies, the tool is used to connect to databases and extract information, particularly data like national ID numbers, passport scans, email addresses, and full addresses. The data is saved in CSV format and is then archived and exfiltrated to a command-and-control server by using public tools such as WinSCP or Pscp.exe (PuTTY Secure Copy Protocol). Process memory dumps saved as .dmp files were also exfiltrated.
“During the incident, the attackers attempted to use three separate wipers as part of the destructive attack,” the researchers said. “While some of the wipers show code similarities to previously reported wipers the Agonizing Serpens group used, others are considered brand new and have been used for the first time in this attack.”
The first wiper is called MultiLayer and is written in .NET. It deploys two binaries called MultiList and MultiWip. MultiList is used to enumerate all files on the system and build a list of file paths with certain folders excluded, while MultiWip is the file wiping component which starts overwriting local files with random data.
To make data recovery attempts harder, the wiper changes the timestamps of the targeted files and changes their original paths before deleting them. MultiLayer also deletes all the Windows Event logs, the volume shadow copies and the first 512 bytes of the physical disk which holds the boot sector to leave systems unbootable after restart. It then deletes itself and all scripts it created and used.
The Palo Alto researchers noted that MultiLayer shares the same function naming conventions and even entire code blocks with other custom tools previously associated with Agonizing Serpens, such as Apostle, IPsec Helper, and Fantasy. This could be the result of the tools sharing the same code base or being created by the same developer.
During the same attack, the attackers also deployed a second wiper that they call PartialWasher or PW. This program is written in C++ instead of .NET and is a more selective wiper where attackers have more control about its execution by using command line flags. For example, the wiper can be instructed to collect information about the drive and partitions, to write 420 MB of random binary data to a drive, to wipe a specified file or files in a particular folder and subfolders, and to change attributes of a file.
Finally, a third wiper called BFG Agonizer was also deployed. This wiper has many code similarities to an open-source project called CRYLINE-v5.0 and might be based on it. This wiper stands out because it uses several anti-hooking techniques such as DLL unhooking and Import Address Table (IAT) Unhooking to evade detection by antivirus programs. It then cripples the drive’s boot sector by overwriting the first six sectors and forcing the system to reboot.
How the Agonizing Serpens attacks evade detection
The attackers deployed three different wipers because they kept trying to bypass the security product deployed on the system. To achieve this, they also employed bring-your-own-vulnerable-driver (BYOVD) techniques. This relies on deploying a legitimate and digitally signed kernel driver that is part of a known application but is either vulnerable in some way or provides attackers with some desired functionality.
One of the drivers deployed is part of a solution called GMER and was originally intended to detect and remove rootkits, but the attackers tried to use it to remove security products. Another driver they deployed with the same purpose is part of a new publicly available PoC tool called BadRentdrv2 that was published at the beginning of October.
“This attack is a part of a broader offensive campaign that targets Israeli organizations,” the researchers said. “Based on our telemetry, the most targeted organizations belong to the education and technology sectors.”