Categories: Cyber AttackHacks

Iranian APT Hackers Attacking Education & Tech Sectors to Steal Sensitive Data

Cybersecurity researchers link attackers to the Iranian-backed APT group “Agonizing Serpens,” which has upgraded its capabilities and uses various tools to bypass security measures.

Hackers target and steal sensitive data for various reasons, including:

  • Financial gain
  • Identity theft
  • Espionage
  • Disruption
  • Cause harm

They may sell the stolen data on the black market, use it for blackmail, or exploit it for fraudulent activities. Unit 42 researchers recently discovered a series of cyberattacks targeting Israeli education and tech sectors, aiming to steal data and render endpoints unusable.

Technical Analysis

Iranian-linked APT Agonizing Serpens has been active since 2020, using wipers and fake ransomware in attacks targeting Israeli organizations. They aim to steal data and disrupt business continuity, often publishing stolen info on social media.

Here below, we have mentioned the other names of Agonizing Serpens:-

  • Agrius
  • BlackShadow
  • Pink Sandstorm
  • DEV-0022

Attackers exploited web servers for initial access, deploying web shells. These shells, similar to past Agonizing Serpens attacks, conducted reconnaissance and network mapping using common scanners that are publicly available.

Basic reconnaissance commands via the web shells (Source – Unit 42)

Here below we have mentioned the scanners:-

  • Nbtscan
  • WinEggDrop
  • NimScan

The attackers attempted to gain admin credentials, but Cortex XDR blocked their methods. Here below we have mentioned all the attempted methods:-

  • Mimikatz
  • SMB password spraying
  • SMB password brute force
  • Dumping the SAM file

The attackers employed Plink (as systems.exe) for lateral movement, aimed at data theft and wiper execution. They used tools like WinSCP and Putty, along with a custom sqlextractor (sql.net4.exe) for exfiltration.

Here below we have mentioned the types of data extracted:- 

  • ID numbers
  • Passport scans
  • Emails
  • Full addresses

The attackers tried using WinSCP and pscp.exe for file exfiltration, seeking specific file types containing stolen data.

The group tried to bypass EDR, but Cortex XDR blocked their attempts. They used various known techniques not seen in previous attacks, indicating increased sophistication.

The attackers used a custom tool called agmt.exe, likely derived from drvIX based on the PDB path. Agmt.exe is a custom loader for the GMER driver, AGMT.sys. It can terminate a specified target process by registering and starting the AGMT service.

After failing to exploit the GMER driver, the attackers turned to the drvIX tool, leveraging a new vulnerable driver from a public PoC tool called BadRentdrv2.

New Wipers & Tools

Cybersecurity researchers at Unit 42 found the following new wipers and tools used by the operators of the Agonizing Serpens group:-

  • MultiLayer wiper
  • PartialWasher wiper
  • BFG Agonizer wiper
  • Sqlextractor – a custom tool to extract information from database servers

Indicators of Compromise

Web shells

  • 1ea4d26a31dad637d697f9fb70b6ed4d75a13d101e02e02bc00200b42353985c
  • 62e36675ed7267536bd980c07570829fe61136e53de3336eebadeca56ab060c2
  • abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d

Nbtscan

  • 63d51bc3e5cf4068ff04bd3d665c101a003f1d6f52de7366f5a2d9ef5cc041a7

WinEggDrop

  • 49c3df62c4b62ce8960558daea4a8cf41b11c8f445e218cd257970cf939a3c25

NimScan

  • dacdb4976fd75ab2fd7bb22f1b2f9d986f5d92c29555ce2b165c020e2816a200
  • e43d66b7a4fa09a0714c573fbe4996770d9d85e31912480e73344124017098f9

Mimikatz

  • 2a6e3b6e42be2f55f7ab9db9d5790b0cc3f52bee9a1272fc4d79c7c0a3b6abda

ProcDump

  • 5d1660a53aaf824739d82f703ed580004980d377bdc2834f1041d512e4305d07
  • f4c8369e4de1f12cc5a71eb5586b38fc78a9d8db2b189b8c25ef17a572d4d6b7
  • 13d8d4f4fa483111e4372a6925d24e28f3be082a2ea8f44304384982bd692ec9

Sqlextractor

  • a8e63550b56178ae5198c9cc5b704a8be4c8505fea887792b6d911e488592a7c

Pscp.exe

  • a112e78e4f8b99b1ceddae44f34692be20ef971944b98e2def995c87d5ae89ee

MultiLayer wiper

  • 38e406b17715b1b52ed8d8e4defdb5b79a4ddea9a3381a9f2276b00449ec8835
  • f65880ef9fec17da4142850e5e7d40ebfc58671f5d66395809977dd5027a6a3e

PartialWasher Wiper

  • ec7dc5bfadce28b8a8944fb267642c6f713e5b19a9983d7c6f011ebe0f663097

BFG Agonizer Wiper

  • c52525cd7d05bddb3ee17eb1ad6b5d6670254252b28b18a1451f604dfff932a4

GMER Driver Loader – agmt.exe

  • 8967c83411cd96b514252df092d8d3eda3f7f2c01b3eef1394901e27465ff981
  • a2d8704b5073cdc059e746d2016afbaecf8546daad3dbfe4833cd3d41ab63898

GMER Driver

  • 18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7

Rentdrv2 Loader – drvIX.exe

  • 2fb88793f8571209c2fcf1be528ca1d59e7ac62e81e73ebb5a0d77b9d5a09cb8

Rentdrv2 Driver

  • 9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5

Infrastructure

  • 185.105.46[.]34
  • 185.105.46[.]19
  • 93.188.207[.]110
  • 109.237.107[.]212
  • 217.29.62[.]166
  • 81.177.22[.]182

Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

CISA Proposes National Cyber Incident Response Plan

The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a proposed update to the National…

44 minutes ago

Iranian Hackers Launched A Massive Attack to Exploit Global ICS Infrastructure

In a joint cybersecurity advisory, the FBI, CISA, NSA, and partner agencies from Canada, the…

2 hours ago

Next.js Vulnerability Let Attackers Bypass Authentication

A high-severity vulnerability has been discovered in the popular web framework, Next.js, which allows attackers…

3 hours ago

CISA Issues Secure Practices for Cloud Services To Strengthen U.S Federal Agencies

In a decisive move to bolster cloud security, the Cybersecurity and Infrastructure Security Agency (CISA)…

3 hours ago

Fortinet Critical Vulnerabilitiy Let Attackers Inject Commands Remotely

Fortinet, a global leader in cybersecurity solutions, has issued an urgent security advisory addressing two…

4 hours ago

Critical Chrome Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Google has released a new security update on the Stable channel, bringing Chrome to version 131.0.6778.204/.205…

5 hours ago