G1030 Agrius
Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.12 Public reporting has linked Agrius to Iran’s Ministry of Intelligence and Security (MOIS).4
| Item | Value |
|---|---|
| ID | G1030 |
| Associated Names | Pink Sandstorm, AMERICIUM, Agonizing Serpens, BlackShadow |
| Version | 1.0 |
| Created | 21 May 2024 |
| Last Modified | 29 August 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Pink Sandstorm | 3 |
| AMERICIUM | 3 |
| Agonizing Serpens | 5 |
| BlackShadow | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Agrius used 7zip to archive extracted data in preparation for exfiltration.5 |
| enterprise | T1119 | Automated Collection | Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information.5 |
| enterprise | T1110 | Brute Force | Agrius engaged in various brute forcing activities via SMB in victim environments.5 |
| enterprise | T1110.003 | Password Spraying | Agrius engaged in password spraying via SMB in victim environments.5 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Agrius uses ASPXSpy web shells to enable follow-on command execution via cmd.exe.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Agrius has deployed IPsec Helper malware post-exploitation and registered it as a service for persistence.1 |
| enterprise | T1005 | Data from Local System | Agrius gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism.5 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Agrius has used the folder, C:\windows\temp\s\, to stage data for exfiltration.5 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Agrius has deployed base64-encoded variants of ASPXSpy to evade detection.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers.5 |
| enterprise | T1190 | Exploit Public-Facing Application | Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices and SQL injection activity.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, GMER64.sys typically used for anti-rootkit functionality, to selectively stop and remove security software processes.5 |
| enterprise | T1570 | Lateral Tool Transfer | Agrius downloaded some payloads for follow-on execution from legitimate filesharing services such as ufile.io and easyupload.io.2 |
| enterprise | T1036 | Masquerading | Agrius used the Plink tool for tunneling and connections to remote machines, renaming it systems.exe in some instances.5 |
| enterprise | T1046 | Network Service Discovery | Agrius used the open-source port scanner WinEggDrop to perform detailed scans of hosts of interest in victim networks.5 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Agrius used tools such as Mimikatz to dump LSASS memory to capture credentials in victim environments.5 |
| enterprise | T1003.002 | Security Account Manager | Agrius dumped the SAM file on victim machines to capture credentials.5 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Agrius tunnels RDP traffic through deployed web shells to access victim environments via compromised accounts.1 Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.5 |
| enterprise | T1018 | Remote System Discovery | Agrius used the tool NBTscan to scan for remote, accessible hosts in victim environments.5 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | Agrius typically deploys a variant of the ASPXSpy web shell following initial access via exploitation.1 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.002 | Domain Accounts | Agrius attempted to acquire valid credentials for victim environments through various means to enable follow-on lateral movement.5 |
Software
References
-
Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024. ↩↩↩↩
-
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. ↩↩
-
Microsoft Threat Intelligence. (2023, May 2). Iran turning to cyber-enabled influence operations for greater effect. Retrieved May 21, 2024. ↩
-
Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩