However, the fact that cybercriminals are only interested in destroying digital information and do not want to make any financial profit surprised the affected gemstone dealers in Israel as well as the security experts at ESET. They were able to prove that the APT group Agrius had carried out a series of cyber attacks with the “Fantasy” malware, which also affected an Israeli human resources company and an IT company. Victims were also observed in South Africa and Hong Kong.
Cybercriminals who destroy instead of extort
The Iran-affiliated attackers used Fantasy, a so-called wiper that acts purely destructively and is not intended to extort money like ransomware. In order to gain access to the victims' networks, Agrius carried out a supply chain attack. An Israeli software suite that is very common in the diamond industry was misused.
The ESET researchers published further details at: https://ots.de/Ji9Q1G
After three hours the spook was over
On February 20, 2022, Agrius deployed credential collection tools to a South African diamond industry organization. Experts see this as preparation for the later campaign. Agrius launched the actual deletion attack on March 12, 2022, using Fantasy and its distribution tool “Sandals” first on the victim in South Africa, then on others in Israel and finally in Hong Kong.
Fantasy Wiper deleted either all files on the hard drive or all files with one of 682 predefined extensions, including filename extensions for Microsoft 365 applications (for example, Microsoft Word, Microsoft PowerPoint, and Microsoft Excel), as well as for common video, audio, and image file formats. Although the malware took measures to complicate recovery and forensic analysis, it is quite likely that recovery of the Windows OS drive was possible. Victims were observed to be back up and running within a few hours.
“The campaign lasted less than three hours. During this period, ESET customers were already protected by detections that identified Fantasy as a wiper and blocked its execution. We observed that the developer of the specialized software for the diamond industry issued clean updates within hours of the attack.”
Adam Burgher, ESET Senior Threat Intelligence Analyst
Iran-affiliated APT group Agrius focuses on Israel
Agrius is a newer, Iran-linked cybercriminal group that has been attacking targets in Israel and the United Arab Emirates since 2020. The group originally deployed the “Apostle” wiper, which masqueraded as alleged ransomware. It was later developed into a full-fledged ransomware. The APT group exploits known vulnerabilities in Internet applications to install web shells. She then conducts internal reconnaissance before the Wiper spreads and uses its malevolent abilities.
Since its discovery in 2021, Agrius has focused exclusively on destructive operations. Fantasy is similar to the previous Wiper Apostle in many ways. There are only a few small changes between many of the original features in Apostle and Fantasy's implementation.
Source:
Press portal / ESET Deutschland GmbH
Also read: Christmas time: Warning about the “bumpsters”, the “defilers” or the “wrong tourists”.
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )

