BFG Agonizer

BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the Agrius threat actor.[1]

ID: S1136
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 May 2024
Last Modified: 29 August 2024

Techniques Used

Domain ID Name Use
Enterprise T1554 Compromise Host Software Binary

BFG Agonizer uses DLL unhooking to remove user mode inline hooks that security solutions often implement. BFG Agonizer also uses IAT unhooking to remove user-mode IAT hooks that security solutions also use.[1]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

BFG Agonizer retrieves a device handle to \\.\PhysicalDrive0 to wipe the boot sector of a given disk.[1]

Enterprise T1490 Inhibit System Recovery

BFG Agonizer wipes the boot sector of infected machines to inhibit system recovery.[1]

Enterprise T1529 System Shutdown/Reboot

BFG Agonizer uses elevated privileges to call NtRaiseHardError to induce a "blue screen of death" on infected systems, causing a system crash. Once shut down, the system is no longer bootable.[1]

Groups That Use This Software

ID Name References
G1030 Agrius

BFG Agonizer has been used by Agrius for wiping operations.[1]

References