Apostle, as an investigator at security company SentinelOne calling for a malware program, was initially put in charge of trying to clear the data but failed to do so, possibly due to a mistake in his mind. The name its creators gave it was “wiper-action.” In a later version, the virus was fixed and the malware program got a complete system of rescue, including the ability to record documents requiring victims to pay a ransom in exchange for confidentiality.
Mu message published Tuesday, SentinelOne investigators have confidently concluded that, in accordance with the rules and servers prescribed by the Apostles, the criminal program was being used by a newly acquired group affiliated with the Iranian government. When the article examined those researchers found that the Apostle was used to fight for a difficult position in the United Arab Emirates, the main focus was on Israel.
“Using the ransom program as a distraction tool is often difficult to prove, because it is difficult to know the intentions of the actor,” the second report said. “The review of the Apostolic malware program provides insufficient information on these types of species, and highlights the differences between what started as a destructive malware program and effective redemptions.”
Researchers call this group Agrius. SentinelOne saw the group using Apostle as an eraser, even though the error and malware prevented this, largely because of a mistake in its assertion. Agrius then returned to Deadwood, a missile that had previously been used against a target in Saudi Arabia in 2019.
Agrius’ new type of Apostle is a complete redemption.
“We believe that the implementation of the plan is a concealment of its real purpose – to destroy its experience,” it said Tuesday. “This idea is supported by an ancient Apostle whose fighters are called ‘wiper-action.'”
The apostles have large pins that hold a back door, called the IPSec Helper, which Agrius uses. The IPSec server receives a number of commands, such as downloading and displaying a catchy file, which is delivered from the opponent’s control server. Both Apostle and IPSec Helper are listed in .Net.
Agrius also uses websites to attack attackers within a disruptive network. To hide their IP addresses, members use ProtonVPN.
Iranian-assisted assistants already had an association with disk wipers. In 2012, a malware program was hacked through a Saudi Arabian network from Saudi Aramco, the world’s largest exporter, and destroyed hard drives more than 30,000 workplaces. Investigators later identified the worm as Shamoon and claimed it was Iran’s fault.
In 2016, Shamoon came out again in a campaign that hit several organizations in Saudi Arabia, including several government agencies. Three years later, researchers found A new Iranian wiper called ZeroCleare.
An apostle is not the first shot to be hidden as a redemption. NotPetya, the same worm has cost billions of dollars worldwide, who re-branded themselves as a ransom until investigators discovered that it had been fabricated by Russian government crackdowns to disrupt Ukraine.
SentinelThe chief investigating officer Juan Andres Guerrero-Saade said in an interview that a criminal program like Apostle shows the frequent connections between economics. terrorists and international thieves.
“Natural threats continue to evolve, as invaders are developing various strategies to achieve their goals,” he said. “We are seeing gangs learning from wealthy financial institutions. Similarly, government agencies are lending to terrorist groups – pretending to revolt under the pretense of rescuing unsuspecting individuals if they return their files to ransom.”
The story first appeared Ars Technica.
Many Great Stories