Effective, fast, and unrecoverable, wiper malware is everywhere

digital security concept Computer bomb in electronic environment, 3D rendering

Getty Images

Over the past year, a deluge of destructive wiper malware has emerged from no fewer than nine families. Over the past week, researchers have cataloged at least two more, both of which feature advanced codebases designed to inflict maximum damage.

On Monday, researchers at Check Point Research published details of Azov, a previously unseen piece of malware that the company described as an “effective, fast, and unfortunately unrecoverable data eraser.” Files are deleted in blocks of 666 bytes by overwriting them with random data, leaving an identically sized block intact, and so on. The malware uses the uninitialized local variable char buffer[666].

Screenwriting kiddies do not have to apply

After permanently destroying data on infected machines, Azov displays a ransomware advertisement-style note. The note reiterates Kremlin talks about Russia’s war on Ukraine, including threats of nuclear strikes. The note from one of two samples that Check Point recovered incorrectly attributes the words to a well-known malware analyst from Poland.

Despite the initial semblance of a youth developer company, Azov is by no means lowbrow. In the original definition, it is a computer virus, meaning that it modifies files – in this case adding polymorphic code to backdoor 64-bit executables – that attack the infected system. It is also written entirely in assembler, a low-level language that is extremely tedious to use but also makes the malware more effective in the backdooring process. Besides the polymorphic code, Azov uses other techniques to make it more difficult for researchers to detect and analyze it.

“Although the Azov sample was considered skidsware when first encountered (probably because of the oddly shaped ransom note), further investigation reveals very advanced techniques – handcrafted assembly, injection of payloads into executables in order to open them through a backdoor, and several anti-analysis tricks normally reserved for security textbooks or high-profile brand-name cybercrime tools,” wrote Check Point researcher Jiri Vinopal. “Azov ransomware should certainly make life harder for the typical reverse engineer than the average malware.”

A logic bomb built into the code causes Azove to detonate at a predetermined time. Once triggered, the logic bomb iterates over all file directories and executes the deletion routine on each one, except for certain hard-coded system paths and file extensions. As of last month, more than 17,000 backdoor executables have been submitted to VirusTotal, indicating the malware has become widespread.

Last Wednesday, researchers at security firm ESET unveiled another previously unseen wiper they dubbed Fantasy, along with a lateral movement and execution tool called Sandals. The malware was distributed using a supply chain attack that hijacked the infrastructure of an Israeli company that develops software for use in the diamond industry. Within 150 minutes, Fantasy and Sandals were spreading to the software company’s customers, who worked in human resources, IT support and wholesale diamonds. The targets were in South Africa, Israel and Hong Kong.

Fantasy borrows heavily from Apostle, malware that first masqueraded as ransomware before turning out to be a wiper. Apostle has been linked to Agrius, an Iranian threat actor operating out of the Middle East. Code reuse led to ESET placing Fantasy and Sandals in the same group.

Leave a Reply

Your email address will not be published. Required fields are marked *