Agonizing Serpens Attacks Israeli Academic and Technological Domains
Since January 2023, Israel’s higher education and technology sectors have been plagued by a series of devastating cyberattacks, deploying previously unknown malware designed for data eradication. As per Palo Alto Networks Unit 42’s analysis, these attacks – the latest occurring in October – aimed at purloining sensitive data, encompassing personal details and intellectual property.
The Iranian-backed APT group, Agonizing Serpens, employed an array of wipers to obliterate traces and disable the infected endpoints. The malware arsenal included three novel wipers: MultiLayer, PartialWasher, and BFG Agonizer, along with the specialized tool, Sqlextractor, for mining information from database servers:
Plink used to establish remote tunneling. | Image: Unit 42
- MultiLayer is a .NET-based malicious program that enumerates files for deletion or corrupts them with random data to foil recovery attempts and render the system inoperable by purging the boot sector.
- PartialWasher is a C++ malicious program designed to scan disks and purge specified folders.
- BFG Agonizer, malware heavily reliant on the open-source ransomware CRYLINE-v5.0.
Agonizing Serpens, active since December 2020 and associated with assaults on Israeli targets, encompasses groups such as Agrius, BlackShadow, and Pink Sandstorm. In May, Check Point detailed Agrius’s deployment of the Moneybird ransomware in their incursions.
In recent offenses, the cybercriminals exploited vulnerable web servers for initial entry, deploying web shells for reconnaissance within victim networks and thievery of credentials from users with administrative privileges. This was followed by lateral movement and data exfiltration using a variety of tools, including Sqlextractor, WinSCP, and PuTTY, culminating in the delivery of malware.
Given these developments, Unit 42 researchers posit that Agonizing Serpens has significantly refined its capabilities and is strenuously working to circumvent intrusion detection measures and other security safeguards, including through the utilization of various renowned tools and custom solutions.
