Over the past few years, there has been an increase in destructive wipers (malware) appearing. Recently, researchers cataloged two new ones, one of which was found to be highly sophisticated.
Wiper Malware (Azov)
On Monday, researchers at Check Point Research published a detailed technical analysis of Azov, a new type of malware they describe as “an effective, fast, and unfortunately irrecoverable” cyberattack tool.
Malicious code may use the uninitialized local variable “char buffer[666]”.
Script Kiddies Need Not Apply
After permanently deleting files from infected computers, Azov displays a message written in the style of an extortion notice.
The message was sent by an unknown source using a Russian language keyboard layout. It claims to be from “a well-known Polish security researcher” who has been involved in analyzing cyber attacks against Ukrainian targets.
We have some exciting news for you. Read on!
Despite their initial appearance, Azov is not at all unsophisticated.
A computer virus is an example of malware, which means it modifies files (in this instance, adding polymorphic code) that attack the infected system.
It’s not just an ordinary backdoor; it’s also completely coded in assembly, which is a low-language programming language that’s difficult to understand but also makes the malware easier to write.
Azov Malware (Wiper) – Sophisticated Virus
Besides the polymorphic obfuscation, Azov employs other techniques to make detection by researchers more difficult.
“The Azov malware is extremely sophisticated, containing manually crafted assembly code, using anti-analysis tricks normally associated with high-end cybercriminals, and even includes an embedded back door allowing remote access to infected systems.”
Azov Ransomware deserves attention from security researchers.
Self Destructing
A self-destructing program written into the code causes Azv to explode at a predetermined date and hour. Once activated, the program loops through every directory and wipes out files except for certain pre-specified ones.
Last month, more than 17 thousand backdoored executables were uploaded to VirusTotal, indicating widespread distribution.
Last Wednesday, researchers at security firm ESET revealed yet another new malware family they dubbed Fantasy, along with a new lateral movement and execution tool called Sandals.
Supply Chain Attack
A supply chain attack used the infrastructure of an Israeli company that developed software for use in the jewelry business.
During 150 minutes, Fantasy and Sandals reached out to their customers who worked for companies involved in HR, IT support, and diamonds. They targeted people in South Africa, Israel, and Hong Kong.
Fantasy heavily borrows its design from Apostle, malware that first appeared as ransomware but later revealed itself as a wiper instead.
Apostle has been linked with Agrius, an Iranian cybercrime group that operates from the Middle East. The similarities between the two groups of malware led us to believe they were related.
A Brief History of Wipers
Never before seen malicious software been found in Russian government agencies and local governments.
The documentation of Azur, Fantasy, and Sandal come just after researchers at cybersecurity company Kaspersky Labs detailed CryWiper, an unknown malware that targeted Russian courtrooms and municipal offices.
Wipers are becoming increasingly common because they’ve been growing increasingly prevalent for the last ten years. In 2012, a type of destructive malware called Shamoon wreaked chaos on Saudi Aramco and Qatar’s RasGas.
Four years after its first attack, another version of Shamoon struck several organizations in Saudi Arabia.
A ransomware attack called WannaCry hit computers worldwide in May 2017, causing billions of dollars in damages. It was the largest ever recorded.
Several new wipers have recently been released. These include Double Zero, Isaac Wiper, Hermetic Wiper, Caddy Wiper, Whisper Gate, Acid Rain, Industrial Ransom, and RuRansom
It’s often difficult to know exactly why someone develops malware. In the case of Azov, Check Point’s Vinopal explained:
It is not our place to confidently ascribe a motive to the production and dissemination of this malware, though obviously, we can rule out the idea that anything in the newer ransom note was written in good faith (we shouldn’t have to say this, but none of the listed people or organizations had anything to do with creating this ransomware). One might simply write it off as the actions of a disturbed individual; though if one wanted to see this as an egregious false flag meant to incite anger at Ukraine and troll victims more generally, they certainly would have a lot of evidence for that hypothesis, too. The number of already detected Azov-related samples is so large that if there was ever an original target, it has long since been lost in the noise of indiscriminate infections.
Check out our other articles for even more amazing tech news!
Addressing of Issues
The flurry highlights the importance of strengthening network cybersecurity by addressing issues such as:
- Behavioral file analysis security solutions for endpoint protection.
- A managed detection and reaction system that allows for timely detection of an attack and response to it.
- Dynamic analysis of emails and blocking of malicious files or URLs. This will make phishing attacks, another common vector, more difficult.
- Regularly conducting penetration tests and Red Team exercises will help to identify weaknesses in an organization’s infrastructures, protect them, and therefore significantly lower the risk of attacks.
- It is important to monitor threats to identify them quickly and block them before they cause damage.
- Install critical applications and OS updates as soon as they become available.
With Russia’s ongoing invasions of Ukraine and other geopolitical instabilities worldwide, there’s no reason to believe the wipeout assault will slow down anytime soon.
Have you experienced any malware attacks recently? Tell us in the comments section below.
