Description
[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation: SentinelOne Agrius 2021)(Citation: CheckPoint Agrius 2023) Public reporting has linked [Agrius](https://attack.mitre.org/groups/G1030) to Iran's Ministry of Intelligence and Security (MOIS).(Citation: Microsoft Iran Cyber 2023)
Techniques Used (TTPs)
- T1018 — Remote System Discovery (discovery)
- T1046 — Network Service Discovery (discovery)
- T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1562.001 — Disable or Modify Tools (defense-evasion)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
- T1505.003 — Web Shell (persistence)
- T1005 — Data from Local System (collection)
- T1583 — Acquire Infrastructure (resource-development)
- T1074.001 — Local Data Staging (collection)
- T1110.003 — Password Spraying (credential-access)
- T1119 — Automated Collection (collection)
- T1003.002 — Security Account Manager (credential-access)
- T1560.001 — Archive via Utility (collection)
- T1036 — Masquerading (defense-evasion)
- T1003.001 — LSASS Memory (credential-access)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1110 — Brute Force (credential-access)
- T1059.003 — Windows Command Shell (execution)
- T1543.003 — Windows Service (persistence, privilege-escalation)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1570 — Lateral Tool Transfer (lateral-movement)
Total TTPs: 22
Malware & Tools
Malware: ASPXSpy, Apostle, BFG Agonizer, DEADWOOD, IPsec Helper, Moneybird, MultiLayer Wiper