Agrius & Azov for the Holidays

10913981254?profile=RESIZE_400xCybersecurity researchers have published the inner workings of a new wiper called Azov Ransomware that's deliberately designed to corrupt data and "inflict impeccable damage" to compromised systems.  Azov is the name of ransomware, malware that blocks access to files by encrypting them.  It encrypts all files (except files with .ini, .dll, and .exe extensions) and appends the ".azov" extension to their filenames. Also, Azov drops ransom notes (the "RESTORE_FILES.txt" files) in all folders that it has scanned for files.

Distributed through another malware loader, SmokeLoader, the malware has been described as an "effective, fast, and unfortunately unrecoverable data wiper" by Israeli cybersecurity company Check Point. Its origins have yet to be determined.  Smoke Loader is a small application used to download other malware. It is often distributed via spam campaigns and exploits kits.  When Smoke Loader is installed, it replaces itself with a recent update from its C2 server to make detection more difficult.[1]

The wiper routine is set to overwrite a file's contents in alternating 666-byte chunks with random noise. A technique referred to as intermittent encryption is increasingly leveraged by ransomware operators to evade detection and encrypt victims' files faster. One thing that sets Azov apart from your garden-variety ransomware is its modification of specific 64-bit executables to execute its code. The modification of executables is done using polymorphic code so as not to be potentially foiled by static signatures.

Azov Ransomware also incorporates a logic bomb, a set of conditions that should be met before activating a malicious action to detonate the execution of the wiping and back-door functions at a predetermined time. Although the Azov sample was considered Skidsware (but Polymorphic Wiper) when first encountered [...] when probed further, one finds very advanced techniques, manually crafted assembly, injecting payloads into executables to backdoor them, and several anti-analysis tricks usually reserved for security textbooks or high-profile brand-name cybercrime tools.

The development comes amid a profusion of destructive wiper attacks since the start of the year. This includes WhisperGate, HermeticWiper, AcidRain, IsaacWiper, CaddyWiper, Industroyer2, DoubleZero, RURansom, and CryWiper.

Recently, the security firm ESET disclosed another unseen wiper called Fantasy that's spread using a supply chain attack targeting an Israeli software company to target customers in the diamond industry. The malware has been linked to a threat actor called Agrius.  The name in ancient Greek means wild or savage.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

 

[1] https://thehackernews.com/2022/12/cybersecurity-experts-uncover-inner.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!