Security experts have published the innovative mechanism behind the spread of a new scareware program called Azov Ransomware, which is designed to make data inaccessible and causes “unalloyed damage” to compromised software.
Distributed through another malware loader known as SmokeLoader, the malware has been described as an effective, fast, and unrecoverable data wiper, by Israeli cybersecurity company Check Point. Its origins are currently unknown.
The wiper process is configured to overwrite a file’s contents in alternating 666-byte chunks with random noise throughout a stipulated time, a technique called intermittent encryption that cybercriminals are increasingly employing to prevent detection and encrypt their victims’ files faster.
“One thing that sets Azov apart from the run-of-the-mill ransomware is its modification of certain 64-bit executables to execute its code,” risk researcher Ji Vinopal said. “The procedure of modifying executables is executed by way of polymorphic code, so it’s not likely to be detected by a static signature.
Azov Ransomware also includes a logic bomb , set of requirements that must be met before repayment is executed to activate* an infiltration and an encrypting function at a predetermined moment. a malicious action is triggered to detonate the wiping and backdooring function on a specific date.
Vinopal went on to report that although the Azov sample had been considered skidware at first, when probed it was found that it comprised advanced manually-crafted assembly techniques, anti-analysis tricks, and specific payload injection schemes for backdooring executables.
Since the start of the year, there’s been a profusion of destructive wiper attacks including ascriptions to WhisperGate, HermeticWiper, AcidRain, IsaacWiper, CaddyWiper, Industroyer2, DoubleZero, RURansom, and CryWiper.
Last week, security firm ESET revealed that security company eSet had discovered a new wiper named Fantasy that was created via a corporation attack targeting a software company serving the Israeli diamond sector. It is suspected to be the work of a threat actor known as Agrisus.
Found this article interesting? Follow Terraeagle on Facebook, Twitter and LinkedIn to read more exclusive content we post.