Israel: A series of destructive cyberattacks that began in January 2023 have targeted Israeli higher education and technology sectors with the aim of deploying previously undocumented wiper malware. These intrusions, which continued until October, have been attributed to a nation-state hacking group known as Agonizing Serpens (also known as Agrius, BlackShadow, and Pink Sandstorm, previously known as Americium). According to a report by Palo Alto Networks Unit 42, the attacks focused on stealing sensitive data, including personally identifiable information (PII) and intellectual property. Once the attackers obtained the information, they used various wipers to cover their tracks and render the infected endpoints unusable.
These wipers include MultiLayer, PartialWasher, and BFG Agonizer, as well as a custom tool called Sqlextractor for extracting data from database servers. Agonizing Serpens has been active since at least December 2020 and has been previously linked to wiper attacks targeting Israeli entities. In an earlier incident, Check Point reported the group’s use of the ransomware strain Moneybird in attacks against Israel.
The recent attacks involved exploiting vulnerable internet-facing web servers to gain initial access, deploy web shells, conduct network reconnaissance, and steal credentials with administrative privileges. MultiLayer is a .NET malware that either deletes files or corrupts them with random data to prevent recovery and render the system unusable by wiping the boot sector. PartialWasher is a C++-based malware used to scan drives and wipe specified folders and their subfolders. BFG Agonizer heavily relies on the open-source project CRYLINE-v5.0.
Agrius is linked to Agonizing Serpens due to code overlaps with other malware families such as Apostle, IPsec Helper, and Fantasy, which have been used by the group in the past. Unit 42 researchers noted that the APT group has recently upgraded its capabilities and is investing significant efforts and resources to bypass Endpoint Detection and Response (EDR) and other security measures. They achieve this by rotating between different known proof-of-concept (PoC) and penetration testing tools as well as custom tools.