New Wiper Malware "Fantasy" Used in Supply-Chain Attack

Description

FortiGuard Labs is aware of a report that a new wiper malware "Fantasy" that was deployed by potentially leveraging an unidentified software commonly used in the diamond industry. The report states that Fantasy wiper victims were observed in South Africa, Israel, and Hong Kong. The wiper malware reportedly targets over 300 file extensions for files to overwrite and delete.

Why is this Significant?

This is significant because Fantasy is a new wiper malware that overwrites and deletes files on compromised machines and have victimized multiple organizations. Fantasy wiper is believed to have been deployed to the victims' machines through update mechanism of an unidentified software commonly used in the diamond industry, which classifies the attack as a supply-chain attack.

What is Fantasy Wiper?

Fantasy wiper is a destructive malware that overwrites and deletes files on compromised machines. Fantasy wiper was reportedly executed using a batch file dropped by another malware named "Sandals". Sandals malware leverages credentials and hostnames collected by the threat actor prior to the deployment of Sandals and Fantasy for lateral movement in victim's network.

Fantasy wiper also deletes Windows event logs, all files in system drive and file system cache memory and overwrites the Master Boot Record (MBR).

Who is behind the Fantasy Wiper Attack?

The attack was attributed to the Agrius threat actor group. Agrius' activities are believed to be align with Iran's interests. Apostle and Deadwood wiper are previously linked to the Agrius group.

What is the Status of Coverage?

FortiGuard Labs detects Fantasy wiper with the following AV signature:

• MSIL/KillDisk.I!tr

Other relevant samples used in the reported attack are detected with the following AV signatures:

• BAT/Agent.NRG!tr
• MSIL/Agent.F871!tr
• Riskware/HackTool
• Riskware/LsassDumper

Appendix

Fantasy - a new Agrius wiper deployed through a supply-chain attack (ESET)