S1136 BFG Agonizer
BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the Agrius threat actor.1
| Item | Value |
|---|---|
| ID | S1136 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 May 2024 |
| Last Modified | 29 August 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1554 | Compromise Host Software Binary | BFG Agonizer uses DLL unhooking to remove user mode inline hooks that security solutions often implement. BFG Agonizer also uses IAT unhooking to remove user-mode IAT hooks that security solutions also use.1 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | BFG Agonizer retrieves a device handle to \\.\PhysicalDrive0 to wipe the boot sector of a given disk.1 |
| enterprise | T1490 | Inhibit System Recovery | BFG Agonizer wipes the boot sector of infected machines to inhibit system recovery.1 |
| enterprise | T1529 | System Shutdown/Reboot | BFG Agonizer uses elevated privileges to call NtRaiseHardError to induce a “blue screen of death” on infected systems, causing a system crash. Once shut down, the system is no longer bootable.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1030 | Agrius | BFG Agonizer has been used by Agrius for wiping operations.1 |