IPsec Helper is a backdoor implant used by Agrius APT. Agrius is attributed to Iran and allegedly targets Israeli systems. IPsec Helper is written in .net and provides many services to its owner. The backdoor provides basic functionality like uploading files from the infected system, running commands, and deploying additional executables. It connects back to C2 servers over HTTP based on a configuration file. This file is created upon installation of the malware and contains information about its command and control servers. Once it is installed it waits for commands. The tool is run as a service, suggesting it is executed once the threat actor has achieved elevated privileges.
Agrius IPSec Helper Signatures
Agrius IPSec Helper Download