Iranian Nation-State Hacking Group “Agonizing Serpens” Targets Israeli Higher Education and Tech Sectors with Destructive Cyber Attacks

Agonizing Serpens deploys novel wiper malware to steal sensitive data and render infected systems unusable, raising concerns about upgraded capabilities

A series of destructive cyber attacks that commenced in January 2023 and persisted until October have specifically targeted Israeli higher education and technology sectors. The attacks have been attributed to an Iranian nation-state hacking group known as “Agonizing Serpens,” which also goes by the aliases Agrius, BlackShadow, and Pink Sandstorm (formerly Americium). According to a report from Palo Alto Networks Unit 42, these attacks are marked by attempts to steal sensitive data, including personally identifiable information (PII) and intellectual property, followed by deploying various wiper malware to cover the attackers’ tracks and render the compromised endpoints inoperable.

The novel wiper malware used in these attacks includes MultiLayer, PartialWasher, and BFG Agonizer, alongside a bespoke tool called Sqlextractor, which is employed to extract information from database servers. Agonizing Serpens has been active since at least December 2020 and has a history of launching wiper attacks against Israeli entities. In May, Check Point reported on the group’s use of the ransomware strain “Moneybird” in attacks targeting Israel.

The modus operandi in these recent attacks involves exploiting vulnerable internet-facing web servers as initial access points to deploy web shells, perform reconnaissance on victim networks, and acquire administrative user credentials. The attackers then move laterally within the network, exfiltrate data using a combination of public and custom tools, such as Sqlextractor, WinSCP, and PuTTY, and finally deliver the wiper malware.

• MultiLayer: This .NET malware enumerates files for deletion or corruption with random data, making data recovery extremely challenging and rendering the system unusable by wiping the boot sector.
• PartialWasher: A C++-based malware that scans drives to wipe specified folders and their subfolders.
• BFG Agonizer: This malware leverages the open-source project CRYLINE-v5.0 and plays a significant role in the attacks.

Agonizing Serpens is linked to Agrius through code overlaps with other malware families like Apostle, IPsec Helper, and Fantasy, which the group has previously used. The researchers at Unit 42 have noted an apparent enhancement of the group’s capabilities, including efforts to bypass endpoint detection and response (EDR) and other security measures. To achieve this, Agonizing Serpens has been rotating between various known proof-of-concept (PoC) and pentesting tools, as well as custom tools, signaling an ongoing and concerning evolution in their tactics and resources.