Diamond software delivered Fantasy wiper
Agrius likely abused an Israeli diamond-industry software update channel to deploy Fantasy. The wiper spread with Sandals and destroyed data in South Africa, Israel, and Hong Kong.
Story
Agrius used a software supply chain to turn a specialized business tool into a timed wiper delivery path. ESET did not name the Israeli developer, but said all observed victims were customers of its software suite, which served the diamond industry.
The campaign started with preparation. On February 20, 2022, Agrius deployed credential-harvesting tools at a South African diamond-industry organization. On March 12, it launched the destructive phase. Victims in South Africa, Israel, and Hong Kong executed Fantasy within about two and a half hours.
Fantasy was built from the Apostle code base but no longer pretended to be ransomware. It overwrote files, deleted them, damaged registry associations, cleared event logs, attempted to wipe fixed drives and the Windows system drive, overwrote the MBR, then rebooted the machine. Recovery was sometimes possible, but the intent was destruction.
Sandals handled lateral execution. It used SMB and PsExec with harvested credentials to write batch files and launch Fantasy on remote systems. ESET's supply-chain assessment rests on the shared software vendor, the update-like naming, the synchronized execution window, and the wiper's location under the Windows temp path used by the legitimate update flow.
Affected Artifacts
Fantasy wiper through unnamed software update
- Observed
- 2022-02-20 to 2022-03-12
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- file_sha1: fantasy35.exe 1a62031bbb2c3f55d44f59917fd32e4ed2041224, file_sha1: fantasy45.exe 820ad7e30b4c54692d07b29361aecd0bb14df3be, file_sha1: host2ip.exe 1aae62acee3c04a6728f9edc3756fabd6e342252, file_sha1: MiniDump.exe 5485c627922a71b04d4c78fbc25985cdb163313b , +3 more
- ESET believed the wiper was deployed via the developer's software update mechanism based on victim commonality, naming, timing, and execution path evidence.
- The affected vendor and software name were not publicly identified.
Incident Context
- Motive
- Data Destruction
- Attribution
- State
- Cause
- Update Infrastructure Compromise
- Transitive
- Yes
- Actor
- Agrius
Indicators
- familyFantasy
- familySandals
- familyApostle
- filefantasy35.exe
- filefantasy45.exe
- filespchost.exe
- filehost2ip.exe
- fileMiniDump.exe
- filesecretsdump.py
- path%SYSTEM%\Windows\Temp
- techniquePsExec
- observableVictims executed Fantasy within an approximately 2.5-hour window.
- observableESET observed clean updates pushed by the software developer within hours.
External References
- Fantasy - a new Agrius wiper deployed through a supply-chain attackwelivesecurity.com
- Iranian Agrius APT Targets Diamond Industry with Fantasy Wiperthehackernews.com
- Iranian hackers deploy new Fantasy malware in supply chain attackbleepingcomputer.com
Source record: proprietary/fantasy-agrius/meta.yaml