Cybersecurity experts have revealed the inner workings of a new wiper called Azov Ransomware, which is intentionally designed to corrupt data and “inflict impeccable damage” on compromised systems.
Distributed via another malware loader known as SmokeLoader, the malware has been described by Israeli cybersecurity firm Check Point as an “effective, rapid, and unfortunately irrecoverable data wiper.” Its origins are currently unknown.
The wiper routine is configured to overwrite a file’s contents in alternating 666-byte chunks with random noise, a technique known as intermittent encryption that is increasingly being utilized by ransomware operators to avoid detection and encrypt victims’ files more quickly.
The modification of certain 64-bit executables to execute its code distinguishes Azov from other ransomware, according to Ji Vinopal, a threat researcher. The modification of executables is accomplished with polymorphic code so that static signatures do not pose a potential obstacle.
Azov Ransomware also includes a logic bomb – a set of conditions that must be satisfied before a malicious action is activated – to trigger the execution of the wiping and backdooring functions at a predetermined time.
“Although the Azov sample was initially considered skidsware […], when probed further one finds very advanced techniques — manually crafted assembly, injecting payloads into executables to backdoor them, and several anti-analysis tricks typically reserved for security textbooks or high-profile brand-name cybercrime tools,” Vinopal added.
Since the beginning of the year, a multitude of destructive wiper attacks has occurred. WhisperGate, HermeticWiper, AcidRain, IsaacWiper, CaddyWiper, Industroyer2, DoubleZero, RURansom, and CryWiper are included in this list.
Last week, security firm ESET disclosed a previously unknown wiper called Fantasy that targets diamond industry customers via a supply chain attack against an Israeli software company. The malware has been associated with the threat actor Agrius.
