1. Home
  2. Software
  3. Apostle

Apostle

Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.[1]

ID: S1133
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 May 2024
Last Modified: 29 August 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 反混淆/解码文件或信息

Apostle compiled code is obfuscated in an unspecified fashion prior to delivery to victims.[1]
Enterprise T1480 执行保护

Apostle's ransomware variant requires that a base64-encoded argument is passed when executed, that is used as the Public Key for subsequent encryption operations. If Apostle is executed without this argument, it automatically runs a self-delete function.[1]
Enterprise T1486 数据加密以实现影响

Apostle creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and ".lock" for an extension.[1]
Enterprise T1485 数据销毁

Apostle initially masqueraded as ransomware but actual functionality is a data destruction tool, supported by an internal name linked to an early version, wiper-action. Apostle writes random data to original files after an encrypted copy is created, along with resizing the original file to zero and changing time property metadata before finally deleting the original file.[1]
Enterprise T1561 .001 磁盘擦除: Disk Content Wipe

Apostle searches for files on available drives based on a list of extensions hard-coded into the sample for follow-on wipe activity.[1]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

Apostle will attempt to delete all event logs on a victim machine following file wipe activity.[1]
.004 移除指标: File Deletion

Apostle writes batch scripts to disk, such as system.bat and remover.bat, that perform various anti-analysis and anti-forensic tasks, before finally deleting themselves at the end of execution. Apostle attempts to delete itself after encryption or wiping operations are complete and before shutting down the victim machine.[1]
Enterprise T1529 系统关机/重启

Apostle reboots the victim machine following wiping and related activity.[1]
Enterprise T1057 进程发现

Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Apostle achieves persistence by creating a scheduled task, such as MicrosoftCrashHandlerUAC.[1]

Groups That Use This Software

ID Name References
G1030 Agrius

Agrius has used Apostle as both a wiper and ransomware-like effects capability in intrusions.[1]

References

  1. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.