Cybersecurity researchers have exposed an internal structure called a new wiper Azov ransomware It is designed to intentionally destroy data and “cause irreproachable damage” to compromised systems.
Distributed via a separate malware loader known as SmokeLoader, the malware is described by Israeli cybersecurity firm Check Point as an “effective, fast, and unfortunately irrecoverable data wiper.” increase. Its origin has not yet been identified.
The wiper routine is set up to overwrite the file contents by alternating chunks of 666 bytes with random noise. This is a technique known as intermittent encryption that ransomware operators are increasingly using to evade detection and encrypt victims’ files more quickly.
“One of the differences between ransomware in general and Azov is that it modifies certain 64-bit executables to run their own code,” said threat researcher Jiří Vinopal. increase. “Modification of the executable is done using polymorphic code so that static signatures cannot possibly fail.”
Azov Ransomware also incorporates logic bombs (a set of conditions that must be met before activating malicious actions) that detonate the execution of erasing and backdoor functions at predetermined times.
“The Azov sample was considered skidware when first encountered, […]Further investigation reveals manually crafted assemblies, highly sophisticated techniques for injecting payloads into executables to create backdoors, and typically for security textbooks or well-known brand name cybercriminal tools. You will find some anti-analysis tricks reserved for ,” Vinopal added.
This development comes amid a slew of devastating wiper attacks since the beginning of the year. This includes WhisperGate, HermeticWiper, AcidRain, IsaacWiper, CaddyWiper, Industroyer2, DoubleZero, RURansom, and CryWiper.
Last week, security firm ESET revealed another unknown wiper called Fantasy. This wiper was spread using a supply chain attack that targeted an Israeli software company and targeted customers in the diamond industry. This malware is associated with an actor called Agrius.