The Apostle Malware is an interesting threat that was first detected on compromised networks of Israeli users and companies. The strange threat appears to be designed to function as a disk cleaner, but due to bugs in its code, it was unable to fully carry out its attack. Researchers who identified and analyzed the threat report that its authors refer to it as a “cleanup action,” another indication that the original purpose of the malware was to clean the victim’s disk
In a post published Tuesday, SentinelOne researchers said they had determined with great confidence that based on the code and servers Apostle reported to, the malware was being used by a newly discovered group with ties to the Iranian government. While a ransomware note that the researchers recovered suggested that Apostle had been used against a critical facility in the UAE, the primary target was Israel.
While the early Apostle Malware samples didn’t do their job due to bugs, recent payload updates appear to be fixed. However, the ‘fixes’ that the criminals applied also changed the functionality of Apostle: it is now a fully developed ransomware threat, demanding money from its victims.
The implementation of the encryption functionality is believed to be there to mask its real intention: Which is to destroy the victim’s data, Apostle has a major code overlay with a backdoor, called the IPSec Helper, which Agrius also uses. IPSec Helper receives a series of commands, such as downloading and running an executable file, that are issued from the attacker’s control server. Both Apostle and IPSec Helper are written in the .Net language.
The development and spread of Apostle Malware is attributed to the Agrius Advanced Persistent Threat (APT) group, an emerging cybercrime organization believed to have ties to the Iranian government. This information is not a surprise considering that the main targets of Agrius are in Israel. Unfortunately, being a new threat, not much is known yet and the safest thing is that they update it and improve sooner than we think.
More reads:
History of Ransomware and how it has evolved
Epsilon Red Ransomware targeting Microsoft
