As an apparent method of political commentary on the war in Ukraine, the new Azov wiper uses a mix of intermittent overwriting and trojanizing Windows binaries to annihilate its’ victims.
When the Ukraine war started earlier this year, we started seeing a barrage of “wiper” malware – designed to “wipe out” victim systems, making them unusable. We’ve looked at HermeticWiper, CaddyWiper, and a few others – including the first sighting of the Azov wiper.
A new analysis of the wiper malware from Check Point Research shows just how crafty and nasty it really is. First off, it overwrites 666 bytes of data with random noise, skips 666 bytes and repeats the process until it reaches 4GB of data – at which point, it leaves the remainder of the file intact. This use of intermittent wiping makes the attack – according to Check Point – “effective, fast, and unfortunately unrecoverable.”
To establish persistence, Azov takes existing 64-bit Windows system such as binary msiexec.exe or perfmon.exe and trojanizes them (according to Check Point, similarly to a backdooring process) and saves them as rdpclient.exe, calling them from the registry’s Run key.
Most of Azov’s initial attack vectors were pirated software, but that doesn’t make organizations today safe; all it takes it one technically-savvy user who “thinks they know what they’re doing” with less-than-reputable downloads from the Internet, and the entire org can be wiped out.
It’s necessary to educate users on the dangers of engaging with any unknown binaries on corporate endpoints – something taught with Security Awareness Training – to keep the organization from being put at risk of cyberattack.
I’d expect to see wiper malware continue to grow, as – based on the news coverage – it works as a means of making a political statement.
%20(1).jpg?width=317&name=RogerMasterClass-FeatureImage%20(1)%20(1).jpg)
