Over the last year, several wiper malware, originating in Russia, have wreaked havoc across Europe. However, the latest wiper malware, Azov, is particularly worrying for security experts. The hackers who have made Azov have approached a scorched-earth policy.
This means that once infected; the malware corrupts all your files in a way that renders them irreparable. This class of wiper malware is designed to inflict maximum damage.
What is wiper malware, and how is Azov different?
Wipers are a class of malware that wipes your data clean and replaces it with garbled data that makes no sense. This class of malware is difficult to deal with because once it infects a system, it will basically wipe and overwrite files in a manner that leaves an identically sized block.
Moreover, wiper malware is usually written to modify files, even the most rudimentary, 64-bit executable files.
Azov, in particular, is written in assembly, a low-level language that’s highly detailed to use but also makes the malware more effective in the backdooring process. Besides the polymorphic code, Azov uses other techniques to make detection and analysis by researchers harder. As a result, it is practically impossible for security researchers and experts to detect Azov once it is too late.
What makes Azov different?
Azov moves and operates in a much faster manner. Files are wiped in blocks of 666 bytes by overwriting them with random data, leaving an identically sized block intact, and so on.
After it replaces the actual data with garbled data, the Azov malware displays a note that looks like a ransom note but is more like a poem that tells people Kremlin talking points regarding Russia’s war on Ukraine, including the threat of nuclear strikes.
Azov also has a component called a logic bomb, which detonates or activates at a predetermined time. Once triggered, the logic bomb iterates over all file directories and executes the wiping routine on each one, except for specific hard-coded system paths and file extensions, thereby corrupting them.
Although the Azov sample was considered skidsware when first encountered (likely because of the strangely formed ransom note), when probed further, one finds very advanced techniques—manually crafted assembly, injecting payloads into executables to backdoor them, and several anti-analysis tricks usually reserved for security textbooks or high-profile brand-name cybercrime tools.