The hacking community of Agrius has switched from a strictly destructive wiper malware to a mix of wiper and ransomware functions — and pretends to keep data till the end of attacks. 

SentinelOne investigators announced on Tuesday that Agrius was the first to be found in attacks targeting Israeli groups in 2020, evaluating the threat group's new movements. 

The community utilizes a mixture of its customized toolkits and offensive security software, readily accessible, to deploy either a malicious wiper or a custom wiper-turned-ransomware variant. The attackers asked the targets to pay the ransom to simulate a ransomware attack to conceal the true nature of the attack. 

The Agrius Community has been functioning since the beginning of 2020, as per the experts. Initially targeted aggression in the Middle East area, Agrius expanded its presence since December 2020 to the Israeli targets. 

But unlike the other ransomware groups like Maze and Conti, Agrius doesn't seem to rely on money—instead, ransomware is indeed a recent addition and a boost to the cyber-espionage- and destruction-oriented attacks.

Moreover, Agrius claimed to be robbing and encrypting information for extorting victims in many of the attacks identified by SentinelOne only when the wiper was deployed, however, this information had already been lost. 

Agrius "intentionally masked their activity as a ransomware attack," the researchers said. 

Throughout the initial stages of the attack, Agrius uses tools for the virtual private network (VPN) software, also accessing publicly available applications and services that correspond to its intended target, often via compromised accounts and security vulnerabilities, before trying to exploit them. 

Agrius' toolkit consists of Deadwood, a malicious wiper malware strain, which is also referred to as Detbosit. Deadwood, assumed to be the APT33 work, was related to attacks against Saudi Arabia during 2019. 

The wipers, like Deadwood, Shamoon, and ZeroCleares, have also been linked to APT33 and APT34. 

During attacks, Agrius also drops the IPsec Helper, a custom.NET backdoor to bind to a command-and-control (C2) server. Moreover, a new .NET wiper known as an Apostle is being thrown away. 

Apostle seems to have been upgraded and changed to include usable modules in a recent attack towards state-owned facilities in the United Arab Emirates. Nevertheless, the team argues, that it is not the financial attraction Agrius focuses on throughout development but the disruptive aspects of ransomware — such as the ability to encrypt data. 

SentinelOne claims no "solid" links have indeed been developed with other established threat groups but because of the involvement of Agrius in Iranian issues, the deployment of web-based shells related to variants produced by the Iranians, and the primary use of wipers – an attack tactic linked to Iranian APTs since 2002 – indicated that the group is likely to originate in the Iranian Republic.