1. Home
  2. Groups
  3. Agrius

Agrius

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.[1][2] Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).[3]

ID: G1030
Associated Groups: Pink Sandstorm, AMERICIUM, Agonizing Serpens, BlackShadow
Contributors: Asritha Narina
Version: 1.0
Created: 21 May 2024
Last Modified: 29 August 2024

Associated Group Descriptions

Name Description
Pink Sandstorm

[4]
AMERICIUM

[4]
Agonizing Serpens

[5]
BlackShadow

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Agrius gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism.[5]
Enterprise T1036 伪装

Agrius used the Plink tool for tunneling and connections to remote machines, renaming it systems.exe in some instances.[5]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Agrius has deployed IPsec Helper malware post-exploitation and registered it as a service for persistence.[1]
Enterprise T1190 利用公开应用程序漏洞

Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices and SQL injection activity.[1]

Enterprise T1140 反混淆/解码文件或信息

Agrius has deployed base64-encoded variants of ASPXSpy to evade detection.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Agrius uses ASPXSpy web shells to enable follow-on command execution via cmd.exe.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, GMER64.sys typically used for anti-rootkit functionality, to selectively stop and remove security software processes.[5]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Agrius used 7zip to archive extracted data in preparation for exfiltration.[5]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Agrius used tools such as Mimikatz to dump LSASS memory to capture credentials in victim environments.[5]
.002 操作系统凭证转储: Security Account Manager

Agrius dumped the SAM file on victim machines to capture credentials.[5]
Enterprise T1074 .001 数据分段: Local Data Staging

Agrius has used the folder, C:\windows\temp\s\, to stage data for exfiltration.[5]
Enterprise T1110 暴力破解

Agrius engaged in various brute forcing activities via SMB in victim environments.[5]
.003 Password Spraying

Agrius engaged in password spraying via SMB in victim environments.[5]
Enterprise T1078 .002 有效账户: Domain Accounts

Agrius attempted to acquire valid credentials for victim environments through various means to enable follow-on lateral movement.[5]
Enterprise T1505 .003 服务器软件组件: Web Shell

Agrius typically deploys a variant of the ASPXSpy web shell following initial access via exploitation.[1]
Enterprise T1570 横向工具传输

Agrius downloaded some payloads for follow-on execution from legitimate filesharing services such as ufile.io and easyupload.io.[2]
Enterprise T1046 网络服务发现

Agrius used the open-source port scanner WinEggDrop to perform detailed scans of hosts of interest in victim networks.[5]
Enterprise T1119 自动化收集

Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information.[5]
Enterprise T1583 获取基础设施

Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN.[1]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Agrius tunnels RDP traffic through deployed web shells to access victim environments via compromised accounts.[1] Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.[5]
Enterprise T1018 远程系统发现

Agrius used the tool NBTscan to scan for remote, accessible hosts in victim environments.[5]
Enterprise T1041 通过C2信道渗出

Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers.[5]

Software

ID Name References Techniques
S1133 Apostle Agrius has used Apostle as both a wiper and ransomware-like effects capability in intrusions.[1] 反混淆/解码文件或信息, 执行保护, 数据加密以实现影响, 数据销毁, 磁盘擦除: Disk Content Wipe, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统关机/重启, 进程发现, 预定任务/作业: Scheduled Task
S0073 ASPXSpy Agrius relies on web shells for persistent access post exploitation, with an emphasis on variants of ASPXSpy.[1] 服务器软件组件: Web Shell
S1136 BFG Agonizer BFG Agonizer has been used by Agrius for wiping operations.[5] 主机软件二进制文件妥协, 磁盘擦除: Disk Structure Wipe, 系统关机/重启, 系统恢复抑制
S1134 DEADWOOD DEADWOOD has been used by Agrius in wiping operations.[1] 伪装: Masquerade Task or Service, 反混淆/解码文件或信息, 数据销毁, 混淆文件或信息: Embedded Payloads, 混淆文件或信息: Encrypted/Encoded File, 磁盘擦除: Disk Content Wipe, 磁盘擦除: Disk Structure Wipe, 系统时间发现, 系统服务: Service Execution, 账号访问移除
S1132 IPsec Helper Agrius uses IPsec Helper as a post-exploitation remote access tool framework.[1] 从本地系统获取数据, 修改注册表, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 横向工具传输, 混淆文件或信息: Encrypted/Encoded File, 移除指标, 移除指标: Clear Persistence, 移除指标: File Deletion, 系统服务: Service Execution, 虚拟化/沙盒规避: Time Based Evasion, 进程发现, 通过C2信道渗出
S0002 Mimikatz Agrius used Mimikatz to dump credentials from LSASS memory.[5] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S1137 Moneybird Moneybird is associated with ransomware operations launched by Agrius.[2] 数据加密以实现影响, 混淆文件或信息: Embedded Payloads
S1135 MultiLayer Wiper MultiLayer Wiper is associated with wiping operations linked to Agrius.[5] 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 数据操控: Stored Data Manipulation, 数据销毁, 文件和目录发现, 混淆文件或信息: Embedded Payloads, 磁盘擦除: Disk Structure Wipe, 移除指标, 移除指标: File Deletion, 移除指标: Clear Windows Event Logs, 移除指标: Timestomp, 系统关机/重启, 系统恢复抑制, 预定任务/作业: Scheduled Task
S0590 NBTscan Agrius used NBTscan to scan victim networks for existing and accessible hosts.[5] 系统所有者/用户发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 远程系统发现

References

  1. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  2. Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
  3. Microsoft Threat Intelligence. (2023, May 2). Iran turning to cyber-enabled influence operations for greater effect. Retrieved May 21, 2024.
  1. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  2. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.