S1133 Apostle
Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.
| Item |
Value |
| ID |
S1133 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.0 |
| Created |
22 May 2024 |
| Last Modified |
29 August 2024 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1485 |
Data Destruction |
Apostle initially masqueraded as ransomware but actual functionality is a data destruction tool, supported by an internal name linked to an early version, wiper-action. Apostle writes random data to original files after an encrypted copy is created, along with resizing the original file to zero and changing time property metadata before finally deleting the original file. |
| enterprise |
T1486 |
Data Encrypted for Impact |
Apostle creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and “.lock” for an extension. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Apostle compiled code is obfuscated in an unspecified fashion prior to delivery to victims. |
| enterprise |
T1561 |
Disk Wipe |
- |
| enterprise |
T1561.001 |
Disk Content Wipe |
Apostle searches for files on available drives based on a list of extensions hard-coded into the sample for follow-on wipe activity. |
| enterprise |
T1480 |
Execution Guardrails |
Apostle’s ransomware variant requires that a base64-encoded argument is passed when executed, that is used as the Public Key for subsequent encryption operations. If Apostle is executed without this argument, it automatically runs a self-delete function. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.001 |
Clear Windows Event Logs |
Apostle will attempt to delete all event logs on a victim machine following file wipe activity. |
| enterprise |
T1070.004 |
File Deletion |
Apostle writes batch scripts to disk, such as system.bat and remover.bat, that perform various anti-analysis and anti-forensic tasks, before finally deleting themselves at the end of execution. Apostle attempts to delete itself after encryption or wiping operations are complete and before shutting down the victim machine. |
| enterprise |
T1057 |
Process Discovery |
Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string “sql,” likely to propagate ransomware activity to database files. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
Apostle achieves persistence by creating a scheduled task, such as MicrosoftCrashHandlerUAC. |
| enterprise |
T1529 |
System Shutdown/Reboot |
Apostle reboots the victim machine following wiping and related activity. |
Groups That Use This Software
| ID |
Name |
References |
| G1030 |
Agrius |
Agrius has used Apostle as both a wiper and ransomware-like effects capability in intrusions. |
References