"Hackers Use New Fantasy Data Wiper in Coordinated Supply Chain Attack"

In supply chain attacks affecting organizations in Israel, Hong Kong, and South Africa, the Iranian Agrius Advanced Persistent Threat (APT) hacking group is employing a new 'Fantasy' data wiper. The campaign began in February and reached its peak in March 2022, infiltrating an Information Technology (IT) support services firm, a diamond wholesaler, a jeweler, and a Human Resources (HR) consulting firm. Agrius used a new wiper called Fantasy in this campaign, which was hidden inside a software suite created by an Israeli vendor. This software is widely employed in the diamond industry. According to ESET analysts, Fantasy is an evolution of the threat actor's previous campaign wiper, 'Apostle.' Wipers are a type of malware that deletes data from compromised computers, resulting in digital destruction and business disruption. On February 20, 2022, the Agrius APT breached a South African diamond industry organization, dropping credential harvesters like MiniDump and SecretsDump on its network to steal account credentials. The Fantasy data wiper is a 32-bit Windows executable. Upon execution, it obtains a list of all drives and their directories, with the exception of the Windows folder. Fantasy overwrites each file's content with random data, resets the timestamps to midnight 2037, and deletes it. This procedure attempts to keep the files from being recovered using data recovery software. Fantasy then deletes registry keys in HKCR, clears all WinEventLogs, deletes the Windows SystemDrive folder, and goes to sleep for two minutes. After another 30-second delay, the wiper overwrites the master boot record, deletes itself, and reboots the system. This article continues to discuss the Agrius APT hacking group and its use of the new Fantast data wiper in supply chain attacks. 

Bleeping Computer reports "Hackers Use New Fantasy Data Wiper in Coordinated Supply Chain Attack"