Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1485 | Data Destruction |
Apostle initially masqueraded as ransomware but actual functionality is a data destruction tool, supported by an internal name linked to an early version, |
|
Enterprise | T1486 | Data Encrypted for Impact |
Apostle creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and ".lock" for an extension.[1] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Apostle compiled code is obfuscated in an unspecified fashion prior to delivery to victims.[1] |
|
Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
Apostle searches for files on available drives based on a list of extensions hard-coded into the sample for follow-on wipe activity.[1] |
Enterprise | T1480 | Execution Guardrails |
Apostle's ransomware variant requires that a base64-encoded argument is passed when executed, that is used as the Public Key for subsequent encryption operations. If Apostle is executed without this argument, it automatically runs a self-delete function.[1] |
|
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Apostle will attempt to delete all event logs on a victim machine following file wipe activity.[1] |
.004 | Indicator Removal: File Deletion |
Apostle writes batch scripts to disk, such as |
||
Enterprise | T1057 | Process Discovery |
Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files.[1] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Apostle achieves persistence by creating a scheduled task, such as |
Enterprise | T1529 | System Shutdown/Reboot |
Apostle reboots the victim machine following wiping and related activity.[1] |
ID | Name | References |
---|---|---|
G1030 | Agrius |
Agrius has used Apostle as both a wiper and ransomware-like effects capability in intrusions.[1] |