Analysts at SentinelOne have released a report detailing an Iranian threat actor that they’ve named “Agrius,” TheRecord reports. Agrius has been tracked since early 2020, and has recently shifted their focus towards Israel-targeted operations. Agrius makes use of a data-wiping malware family, DEADWOOD, which has been attributed to Iranian threat actors in the past. Additionally, this actor, possibly in a bid to evade detections, deployed another sample named Apostle that also tried to delete files. SentinelLabs noted that Apostle did not work properly.
As this actor typically leveraged 1-day vulnerabilities in Internet-connected systems in order to deploy their malware, Binary Defense recommends users ensure that all web-facing products are up to date with the latest security patches. This will ensure that actors who reverse engineer the patch cannot infect critical devices. Additionally, Binary Defense recommends deploying a 24/7 SOC monitoring solution, such as Binary Defense’s own Security Operations Task Force, to respond quickly whenever threat activity is detected.