An emergent data wiper ransomware known as Azov – which first came to attention as a payload delivered by the SmokeLoader botnet – is becoming increasingly widespread and seems to be on its way to being an active and dangerous threat, according to researchers at Check Point.
Azov is distinct from more common or garden forms of ransomware because it is capable of modifying certain 64-bit executables to run its own code, explained Check Point researcher Jiří Vinopal, who said this feature harked back to a more old-fashioned kind of malware.
“Before the advent of the modern-day internet, this behaviour used to be the royal road for the proliferation of malware; because of this, to this day, it remains the textbook definition of ‘computer virus’ – a fact dearly beloved by industry pedants, and equally resented by everyone else,” Vinopal said in his write-up.
“The modification of executables is done using polymorphic code, so as not to be potentially foiled by static signatures, and is also applied to 64-bit executables, which the average malware author would not have bothered with.”
Azov’s aggressive polymorphic infection of victim executables has resulted in a deluge of publicly available infected files, said Vinopal, with VirusTotal receiving hundreds of submissions daily – it already has 17,000 samples.
Vinopal described Azov as a “fast, effective and unfortunately unrecoverable” data wiper that works by means of a logic bomb, which detonates at a specific time to wipe its victims’ files.
This proliferation of samples allowed Vinopal and his team to identify two different types of Azov with different ransom notes and different file extensions for the files it destroys.
The new version exploits a number of pro-Ukraine talking points to attempt to get victims in the West to pressurise their governments into increasing military aid to Ukraine, saying that not to do so risks nuclear war.
The Azov name likely reflects the pro-Ukraine stance of its unknown creator/s, Azov being both the northern area of the Black Sea separating Crimea from mainland Russia and a paramilitary brigade of the Ukrainian armed forces alleged to be linked to far-right, Neo-Nazi groups.
The note also attempts to frame a number of high-profile people in the security community, as well as Bleeping Computer.
The older ransom note is rather more poetic and for unknown reasons seems to draw extensively on The Evolution of Trust, a 2017 interactive web game that explores how game theory can be applied to interpersonal trust.
Jiří Vinopal, Check Point
Vinopal said that although the nature of Azov’s unconventional ransom note had let some to consider it skidware at first, it in fact demonstrated very advanced techniques, and anti-analysis tricks that are more usually the purview of big name cyber crime operations, which “ought to give the typical reverse engineer a harder time than the average malware”.
Vinopal said it was not really possible to ascribe a motive to the production and spread of Azov. “One might simply write it off as the actions of a disturbed individual; though if one wanted to see this as an egregious false flag meant to incite anger at Ukraine and troll victims more generally, they certainly would have a lot of evidence for that hypothesis, too,” he wrote.
“The number of already detected Azov-related samples is so large that if there was ever an original target, it has long since been lost in the noise of indiscriminate infections. The only thing we can say with certainty, and what has been confirmed by all this analysis, is that Azov is an advanced malware designed to destroy the compromised system.”
The use of wiper malware by malicious actors has skyrocketed in 2022, with a clear link demonstrated to Russia’s war on Ukraine. At the onset of the conflict in February and March 2022, researchers identified multiple such malware with names such as WhisperGate, HermeticWiper, IsaacWiper and CaddyWiper being deployed against targets in Ukraine, presumably by Russian operators.
Azov, by dint of its pro-Ukraine stance and targeting of organisations in countries supportive of Kyiv’s struggle, would seem to mark a departure from this trend and an escalation in the use of such malware, the goal of a destructive malware being not to disrupt its victim, but rather to completely destroy the technology that supports critical business functions.
As such, organisations where complete system disruption could have life-altering consequences for innocent users – such as utility operators and healthcare bodies – should be particularly alert to the risks.
Indicators of compromise for the two original Azov samples analysed by Vinopal, and Yara rules, can be found on Check Point’s research blog.