Iranian Agrius APT hackers are using the new “Fantasy” data wiper in supply chain attacks that affect organizations in Israel and South Africa.
It began in February, with the full extent of it occurring in March 2022. The attack on an IT support company, diamond wholesalers, jewelers, and HR consulting companies were all breached.
Agrius employed a brand new wiper called ‘Fantasy,’ which was hidden in a suite of software created by an Israeli vendor. This is a common software used by the diamond industry.
claim that ‘Fantasy” is an evolution from the ‘Apostle Wiper’ which threat actor .
Wipers is a type of malware that aims to erase data from compromised computers and cause business disruption.
On February 20, 2022 the Agrius APT, or Advanced Persistent Threat (Agrius APT) broke into a South African diamond trade organization. It dropped credential harvesters such as SecretsDump and MiniDump onto its network in order to steal credentials.
Hackers used the stolen credentials as a way to further spread the malware throughout the network. They presumably collected information to gain access to other systems.
Argius used Host2IP on March 12, 2022 to distribute the Fantasy Wiper across all devices.
Sandals, a Windows executable connects via SMB to other systems and creates a batch file via PsExec that launches the Fantasy wiper.
The attackers used all the four tools mentioned against targets in Israel and one company in Hong Kong within 2.5 hours.
According to ESET all the companies that were attacked were customers of affected software developers. They realized the issue immediately and released clean updates within hours.
The “Fantasy” wiper
Fantasy data wiper is 32-bit Windows executable. It can be used as ‘fantasy45.exe or ‘fantasy35.exe.exe. It executes and displays a complete list of drives and directories, with the exception of Windows, and any files within each folder.
Fantasy writes random data to each file, then sets time stamps at midnight 2037 and deletes them. The process is designed to stop files being recovered using data recovery tools.
Fantasy then deletes registry keys from HKCR and clears WinEventLogs. Finally, Fantasy enters a 2-minute sleep.
The wiper then overwrites and deletes the master boot file, reboots after another 30 seconds delay,
ESET claims that even though the attacks were devastating, victims can get back to running within hours.
It is probable that %SYSTEMDRIVE% recovery will be possible. “Victims were seen to be up and running in a matter hours,” explained ESET.
ESET says that there is considerable code overlap between Fantasy and Apostle, but the former is only a wiper and has no data encryption capabilities. It also does not generate ransom notes.