Nine different families of wiper malware have emerged in 2022. Researchers discovered at least two more in the last week. Both have sophisticated codebases built to wreak havoc.
On Monday, Check Point’s research division published a report on Azov, a previously unknown data wiper that experts describe as effective, quick and ultimately unrecoverable.
This malware wipes files in blocks of 666 bytes by overwriting them with random data, leaving an identically sized block in their place.
How the malware works
Once it permanently destroys data on infected machines, Azov shows a note that’s reminiscent of ransomware announcements. The note includes talking points related to Putin’s war on Ukraine, complete with the threat of nuclear strikes.
The note from one of two samples recovered by Check Point falsely attributes the words to a renowned Polish malware analyst.
Even though it may seem like the kind of thing juvenile developers come up with, the malware is sophisticated. It’s a classic computer virus, meaning it modifies files to attack systems — in this case, by adding polymorphic code to backdoor 64-bit executables.
Azov is smarter than it looks
The malware is written in assembly, a low-level code that’s a pain to work with but highly effective for backdooring malware. Azov uses various techniques to obstruct detection and analysis, including polymorphic code.
There’s a logic bomb built into the malware, causing Azov to detonate at a preset time. The logic bomb performs the wiping procedure repeatedly after being set off, only leaving a few hard-coded system paths and file extensions intact.
More than 17,000 backdoored executables have been reported to VirusTotal as of last month, demonstrating the malware’s widespread distribution.