Apostle, Striking Targets in Israel


Thread author
Staff member
Malware Hunter
Jul 27, 2015
Researchers say they’ve uncovered never-before-seen disk-wiping malware that’s disguising itself as ransomware as it unleashes destructive attacks on Israeli targets.

Apostle, as researchers at security firm SentinelOne are calling the malware, was initially deployed in an attempt to wipe data but failed to do so, likely because of a logic flaw in its code. The internal name its developers gave it was “wiper-action.” In a later version, the bug was fixed and the malware gained full-fledged ransomware behaviors, including the leaving of notes demanding victims pay a ransom in exchange for a decryption key.
“We believe the implementation of the encryption functionality is there to mask its actual intention—destroying victim data,” Tuesday’s post stated. “This thesis is supported by an early version of Apostle that the attackers internally named ‘wiper-action.’” Apostle has major code overlap with a backdoor, called IPSec Helper, that Agrius also uses. IPSec Helper receives a host of commands, such as downloading and executing an executable file, that are issued from the attacker's control server. Both Apostle and IPSec Helper are written in the .Net language. Agrius also uses webshells so that attackers can move laterally inside a compromised network. To conceal their IP addresses, members use the ProtonVPN.