Apostle Malware Evolves from Wiper to Ransomware

foudre malware

The Apostle Malware is an interesting threat that was first spotted on the compromised networks of Israeli users and companies. The strange threat appears to be designated to work as a disk wiper, but because of bugs in its code, it was not able to carry out its attack completely. Researchers who identified and dissected the threat report that its authors refer to it as 'wiper-action' – another hint that the original purpose of the malware was to wipe the victim's disk. While the first samples of the Apostle Malware failed to do their job because of bugs, recent updates of the payload appear to be fixed. However, the 'fixes' that the criminals applied also changed Apostle's functionality – it is now a fully fledge ransomware threat, which demands money from its victims.

The development and propagation of the Apostle Malware is attributed to the Agrius Advanced Persistent Threat (APT) group, an emerging cybercrime organization believed to have ties to the Iranian government. This piece of information does not come as a surprise considering that Agrius' primary targets are situated in Israel. 

Iran-affiliated hacking groups seem to have an affinity towards disk wipers, and they have been using them since at least 2012. One of the most infamous disk wipers to be employed by Iranian hackers is Shamoon.

We are yet to see what future updates of the Apostle Malware are about to introduce – it would not be a surprise if the Agrius criminals decide to switch up their strategy again. For now, one thing is for sure – Israel is their primary target, and they do not seem to express interest in other regions. 

May 26, 2021

Leave a Reply