Iran-linked Agonizing Serpens group (aka Agrius, BlackShadow, Pink Sandstorm, DEV-0022) has been targeting Israeli organizations in higher education and tech sectors with destructive cyber attacks since January 2023.
Palo Alto Networks’ s Unit 42 researchers reported that threat actors first attempt to steal sensitive data (i.e. personally identifiable information (PII) and intellectual property) and then deploy various wipers to cover the tracks.
The researchers observed the Unit 42 researchers using three previously unknown wipers named MultiLayer, PartialWasher, and a custom tool named Sqlextractor used to extract information from database servers.
The tool sqlextractor (binary name sql.net4.exe) allows threat actors to query SQL databases and extract sensitive PII data, such as ID numbers, Passport scans, Emails, and Full addresses.
Agonizing Serpens has been active since December 2020, it is known for its destructive wiper and fake-ransomware attacks against Israeli organizations.