Agrius

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.[1][2] Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).[3]

ID: G1030
Associated Groups: Pink Sandstorm, AMERICIUM, Agonizing Serpens, BlackShadow
Contributors: Asritha Narina
Version: 1.0
Created: 21 May 2024
Last Modified: 29 August 2024

Associated Group Descriptions

Name Description
Pink Sandstorm

[4]

AMERICIUM

[4]

Agonizing Serpens

[5]

BlackShadow

[2]

Techniques Used

Domain ID Name Use
Enterprise T1583 Acquire Infrastructure

Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Agrius used 7zip to archive extracted data in preparation for exfiltration.[5]

Enterprise T1119 Automated Collection

Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information.[5]

Enterprise T1110 Brute Force

Agrius engaged in various brute forcing activities via SMB in victim environments.[5]

.003 Password Spraying

Agrius engaged in password spraying via SMB in victim environments.[5]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Agrius uses ASPXSpy web shells to enable follow-on command execution via cmd.exe.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Agrius has deployed IPsec Helper malware post-exploitation and registered it as a service for persistence.[1]

Enterprise T1005 Data from Local System

Agrius gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism.[5]

Enterprise T1074 .001 Data Staged: Local Data Staging

Agrius has used the folder, C:\windows\temp\s\, to stage data for exfiltration.[5]

Enterprise T1140 Deobfuscate/Decode Files or Information

Agrius has deployed base64-encoded variants of ASPXSpy to evade detection.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers.[5]

Enterprise T1190 Exploit Public-Facing Application

Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices and SQL injection activity.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, GMER64.sys typically used for anti-rootkit functionality, to selectively stop and remove security software processes.[5]

Enterprise T1570 Lateral Tool Transfer

Agrius downloaded some payloads for follow-on execution from legitimate filesharing services such as ufile.io and easyupload.io.[2]

Enterprise T1036 Masquerading

Agrius used the Plink tool for tunneling and connections to remote machines, renaming it systems.exe in some instances.[5]

Enterprise T1046 Network Service Discovery

Agrius used the open-source port scanner WinEggDrop to perform detailed scans of hosts of interest in victim networks.[5]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Agrius used tools such as Mimikatz to dump LSASS memory to capture credentials in victim environments.[5]

.002 OS Credential Dumping: Security Account Manager

Agrius dumped the SAM file on victim machines to capture credentials.[5]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Agrius tunnels RDP traffic through deployed web shells to access victim environments via compromised accounts.[1] Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.[5]

Enterprise T1018 Remote System Discovery

Agrius used the tool NBTscan to scan for remote, accessible hosts in victim environments.[5]

Enterprise T1505 .003 Server Software Component: Web Shell

Agrius typically deploys a variant of the ASPXSpy web shell following initial access via exploitation.[1]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Agrius attempted to acquire valid credentials for victim environments through various means to enable follow-on lateral movement.[5]

Software

ID Name References Techniques
S1133 Apostle Agrius has used Apostle as both a wiper and ransomware-like effects capability in intrusions.[1] Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Disk Wipe: Disk Content Wipe, Execution Guardrails, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Process Discovery, Scheduled Task/Job: Scheduled Task, System Shutdown/Reboot
S0073 ASPXSpy Agrius relies on web shells for persistent access post exploitation, with an emphasis on variants of ASPXSpy.[1] Server Software Component: Web Shell
S1136 BFG Agonizer BFG Agonizer has been used by Agrius for wiping operations.[5] Compromise Host Software Binary, Disk Wipe: Disk Structure Wipe, Inhibit System Recovery, System Shutdown/Reboot
S1134 DEADWOOD DEADWOOD has been used by Agrius in wiping operations.[1] Account Access Removal, Data Destruction, Deobfuscate/Decode Files or Information, Disk Wipe: Disk Content Wipe, Disk Wipe: Disk Structure Wipe, Masquerading: Masquerade Task or Service, Obfuscated Files or Information: Embedded Payloads, Obfuscated Files or Information: Encrypted/Encoded File, System Services: Service Execution, System Time Discovery
S1132 IPsec Helper Agrius uses IPsec Helper as a post-exploitation remote access tool framework.[1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Exfiltration Over C2 Channel, Indicator Removal, Indicator Removal: Clear Persistence, Indicator Removal: File Deletion, Lateral Tool Transfer, Modify Registry, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, System Services: Service Execution, Virtualization/Sandbox Evasion: Time Based Evasion
S0002 Mimikatz Agrius used Mimikatz to dump credentials from LSASS memory.[5] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S1137 Moneybird Moneybird is associated with ransomware operations launched by Agrius.[2] Data Encrypted for Impact, Obfuscated Files or Information: Embedded Payloads
S1135 MultiLayer Wiper MultiLayer Wiper is associated with wiping operations linked to Agrius.[5] Command and Scripting Interpreter: Windows Command Shell, Data Destruction, Data Manipulation: Stored Data Manipulation, Disk Wipe: Disk Structure Wipe, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal, Indicator Removal: File Deletion, Indicator Removal: Clear Windows Event Logs, Indicator Removal: Timestomp, Inhibit System Recovery, Obfuscated Files or Information: Embedded Payloads, Scheduled Task/Job: Scheduled Task, System Shutdown/Reboot
S0590 NBTscan Agrius used NBTscan to scan victim networks for existing and accessible hosts.[5] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery

References