Apostle

As in previous attacks, the threat actors gained entry via public-facing web servers and the deployment of “unique variants of ASPXSPY”

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Agonizing Serpens frequently exploited publicly available one-day vulnerabilities in public-facing web applications to drop custom web shells.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content contains many examples of base64, XOR, RC4, AES, Rijndael, custom ciphers, rolling XOR, and multi-layer obfuscation used to hide payloads, strings, scripts, and C2 data.

The new version of Apostle is obfuscated, encrypted and compressed as a resource in a loader we call Jennlog, as it attempts to masquerade payload in resources as log files.

APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.

Many examples describe post-intrusion cleanup, anti-forensics, and removal of artifacts such as logs, scripts, malware components, scheduled tasks, registry keys, and temporary files.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Before executing the Apostle payload, Jennlog runs a set of tests to verify that it is not being executed in an analysis environment based on an embedded configuration.

The extracted content found in this sample is a new version of the Apostle ransomware, which is loaded into memory and ran using the parameters given to Jennlog at execution.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Before executing the Apostle payload, Jennlog runs a set of tests to verify that it is not being executed in an analysis environment based on an embedded configuration.

It can be used to exfiltrate data or deploy additional malware.

Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activity as ransomware attacks.

Later intrusions carried out by Agrius revealed they kept maintaining and improving Apostle, turning it into a fully functional ransomware... In some cases, the group leveraged its access to deploy destructive wiper malware, and in others a custom ransomware.

Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files. LockBit 3.0 can identify and terminate specific services. RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.

"AcidPour includes functionality to reboot the victim system following wiping actions..."; "AcidRain reboots the target system once the various wiping processes are complete"; "Apostle reboots the victim machine following wiping"; "APT37 ... issue the command shutdown /r /t 1 to reboot a system after wiping its MBR"; "APT38 ... BOOTWRECK ... initiate a system reboot after wiping the victim's MBR"; "Black Basta ... used ShellExecuteA to shut down and restart"; "DarkGate ... used the shutdown command"; "HermeticWiper can initiate a system shutdown"; "NotPetya will reboot the system one hour after infection"; "Shamoon will reboot the infected system once the wiping functionality has been completed"; "WhisperGate can shutdown ... through ... ExitWindowsEx"

Iran has a new cyber trick in the form of destructive smokescreens that leverage ransomware-style encryption to disguise data destruction, sabotage, or political retribution.