[ad_1]
Researchers say they deleted the new disk malware that is disguising itself ransomware Because it unleashes destructive attacks on Israeli targets.
The apostle, as researchers at the security company SentinelOne are calling malware, initially spread out trying to clear the data but failed to do so, probably because there was a logical error in its code. The internal name given to it by the developers was “wiper-action”. In a later version, the bug was fixed and the malware got full ransomware behaviors, including a key to decrypt the ability to leave notes that required victims to pay the ransom.
In one posted on Tuesday, SentinelOne researchers said they confidently determined that based on the code and servers reported to us by the apostle, a new group found linked to the Iranian government was using the malware. While a ransomware note suggested that researchers were using the Apostle against critical facilities in the United Arab Emirates, the main target was Israel.
“The use of ransomware as a disruptive tool can be difficult to prove, as it is difficult to determine the intentions of a threat actor,” the report said on Tuesday. “The Apostle’s malware analysis provides a rare insight into these types of attacks, drawing a clear line between a ransomware for the full operation of what began as a cleaning malware.”
Investigators have named a new Agrius hacking team. SentinelOne first saw the band used as an Apostle disc cleaner, although a malware error prevented it from doing so, probably due to a logic error in its code. Then Agrius fell for Deadwood, a washer already used in 2019 in Saudi Arabia against a target.
The new version of Agrius the Apostle is complete ransomware.
“We believe that the implementation of encryption functionality is to hide its intent to destroy victim data,” Tuesday’s message said. “This thesis is supported by an early version of the Apostle, which the attackers called internal ‘wiper-action’.”
The apostle has a large overlay code with the back door used by Agrius, called the IPSec Helper. IPSec Helper contains many commands such as downloading and executing an executable file provided from the attack control server. Apostolu and IPSec Assistant are written in .Net language.
Agrius also uses web covers to allow attackers to move within a dangerous network. To hide IP addresses, members use ProtonVPN.
Iran-backed hackers already had an affinity for disc washers. In 2012, self-replicating malware was dismantled through Saudi Arabia’s Saudi Aramco network, the world’s largest crude exporter, and it definitely destroyed hard drives In more than 30,000 jobs. Investigators later identified the washing machine worm as Shamoon and said it was Iran’s job.
In 2016, Shamoon reappeared He campaigned against several Saudi organizations, including various government agencies. Three years later, researchers found a A new Iranian wiper called ZeroCleare.
The Apostle is not the first washing machine disguised as ransomware. NotPetya, worm it caused billions of dollars in damage worldwide, was also disguised as ransomware, until investigators decided that hackers backed by the Russian government decided to destabilize Ukraine.
SentinelOne chief threat researcher Juan Andres Guerrero-Saade said in an interview that a malware like the Apostle shows an interaction that is usually economically motivated. cybercriminals and nation-state hackers.
“The threat ecosystem continues to evolve as attackers develop different techniques to achieve their goals,” he said. “We see cybercrime groups learning from better-off nation-state groups. Also, national-state groups are borrowing from criminal groups — disguised as ransomware masking their disruptive attacks to indicate whether victims will recover their files in exchange for retrieval.”
This story first appeared Ars Technica.
More great KABEKO stories
[ad_2]
Source link
