The malware included a trigger time that would cause it to sit dormant on the victim’s devices until October 27th, 2022, at 10:14:30 AM UTC, which would then trigger the corruption of all data on the device.
The wiper would overwrite a file’s contents and corrupt data in alternating 666-byte chunks of garbage data. The number 666 is commonly associated with the biblical ‘Devil,’ clearly showing the malicious intent of the threat actor.
Each cycle exactly 666 bytes are being overwritten with random (uninitialized data) and the next 666 bytes are left original, This works in a loop, so wiped file structure would look like this: 666 bytes of garbage, 666 bytes original, 666 bytes of garbage, 666 bytes original.
The data wiper will infect, or ‘backdoor,’ other 64-bit executables on the Windows device whose file path does not contain the following strings:
:Windows
ProgramData
cache2entries
LowContent.IE5
User DataDefaultCache
Documents and Settings
When backdooring an executable, the malware will inject code that will cause the data wiper to launch when a seemingly harmless executable is launched.
Backdooring of the files works in a polymorphic way, which means the same shellcodes used to backdoor files are every time encoded differently.
Today, the threat actor continues distributing the malware through the Smokeloader botnet, commonly found in fake pirated software and crack sites.
It is unclear why the threat actor is spending money to distribute a data wiper. However, theories range from it being done to cover up other malicious behavior or simply to ‘troll’ the cybersecurity community.
Regardless of the reason, victims who are infected with Azov Ransomware will have no way of recovering their files, and as other executables are infected, they should reinstall Windows to be safe.
Furthermore, as Smokeloader is being used to distribute the Azov data wiper, it is likely also installed with other malware, such as password-stealing malware. Therefore, it is essential to reset any passwords to email accounts, financial services, or other sensitive information.
Finally, while the ransomware is named after the Ukrainian ‘Azov’ military regiment, this malware is likely not affiliated with the country and is just using the name as a false flag.
Sign Up For Threat Alerts
Jul 04, 2023
Rhysida Ransomware RaaS Crawls Out of Crimeware...
The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...
Jun 26, 2023
Operation Magalenha – Long-Running Campaign Pursues Portuguese...
The attackers can steal credentials and exfiltrate users' data and personal information, which can be...
Apr 24, 2023
Lazarus Group Adds Linux Malware to Arsenal...
Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...
Apr 23, 2023
Additional IOCs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.
Apr 23, 2023
Ex-Conti and FIN7 Actors Collaborate with New...
IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...
Apr 20, 2023
AuKill EDR killer malware abuses Process Explorer...
The AuKill tool abuses an outdated version of the driver used by version 16.32 of...
Apr 20, 2023
Fake Chrome updates spread malware
A campaign running since the end of last year is using hacked sites to push...
Apr 20, 2023
QBot using new attack vector in its...
QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...
Apr 20, 2023
CrossLock Ransomware Emerges: New Golang – Based...
The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...
Apr 20, 2023
Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...
A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
APT36 Expands Interest Within Indian Education Sector
Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...
Apr 17, 2023
ChinaZ DDoS Bot Malware Distributed To Linux...
The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...
Apr 16, 2023
Resurgence Of The Mexals Cryptojacking Campaign
The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...