Azov malware trickle-wipes data
And infects other 64-bit executables
The Azov 'ransomware', which has been widely distributed in recent days, has been found to actually be a data wiper that purposefully deletes information on victim machines and infects other applications.
Azov first appeared last month, when researchers discovered that a threat actor was spreading it using pirated software, cracks and adware packages.
The malware pretended to encrypt data, even sending victims a ransom note. However, instead of providing contact details of the attackers to negotiate a payment, the ransom note (named RESTORE_FILES.txt) told victims to get in touch with security experts and journalists - possibly in an attempt to frame them as the culprits.
Although the wiper gets its name from the Azov military unit of Ukraine, it is thought not to be linked with the country and is using the name as a false flag.
The ransom note says the malware's creators were encrypting machines in protest of the annexation of Crimea and because Western nations were not taking enough measures to support Ukraine in its war against Russia.
Ji Vinopal, a security researcher at Checkpoint, recently examined Azov and determined that it was created specifically to damage data, rather than encrypt it.
According to Vinopal, the malware was dormant until a specific date and time: 27th October at 10:14:30 AM UTC. After that date, all the information on affected devices was corrupted.
The researcher told BleepingComputer that Azov overwrites data in alternating 666-byte blocks of junk data.
"Each cycle exactly 666 bytes are being overwritten with random (uninitialised data) and the next 666 bytes are left original," he said.
"This works in a loop, so wiped file structure would look like this: 666 bytes of garbage, 666 bytes original, 666bytes of garbage, 666 bytes original, etc…"
On Windows devices, the malware has also been found to backdoor other 64-bit executables whose paths do not include certain strings.
When malware backdoors an executable file, it injects code into the file that allows the data wiper to run whenever the harmless executable file is launched - so Azov could by opening an unrelated file or programme.
The researchers say Azov is being distributed using the SmokeLoader botnet virus, which could lead to the simultaneous installation of password-stealing malware as well as other backdoors.
The threat actor's motives are currently unknown; they don't appear to be making money, and are actually spending it to spread the wiper. Researchers warn that there is currently no remedy.
It is recommended that users refrain from using cracked software and copies of any files they get from the internet, to prevent infection.