Explained: What is Azov, the wiper malware from Russia and why are security experts frustrated by it

Over the last year, several wiper malware, originating in Russia have wreaked havoc across Europe. However, the latest wiper malware, Azov is particularly worrying for security experts. The hackers who have made Azov have approached a scorched-earth policy. [caption id=“attachment_11807981” align=“alignnone” width=“640”] As opposed to other malware, wiper malwares such as Azov that basically wipes your data clean, and replaces it with garbled data that makes no sense, and hence corrupting your file. Furthermore, it is extremely difficult for researchers to detect if a system is infected, until it is too late.[/caption] What this basically means is that once infected, the malware corrupts all your files in a way that renders them irreparable. Basically, this class of wiper malware is designed to inflict maximum damage. What is a wiper malware and how Azov is different? Wipers are a class of malware that basically wipes your data clean, and replaces it with garbled data that makes no sense. The reason why this class of malware is difficult to deal with, is because once it infects a system, it will basically wipe and overwrite files in a manner that leaves an identically sized block.   Moreover, wiper malware are usually written in a way that it modifies files even the most rudimentary, 64-bit executable files. Azov in particular is written in in assembly, a low-level language that’s extremely painstaking to use but also makes the malware more effective in the backdooring process. Besides the polymorphic code, Azov uses other techniques to make detection and analysis by researchers harder. As a result, it is practically impossible for security researchers and experts to detect Azov once it is too late. What makes Azov different? Azov moves and operates in a much faster manner. Files are wiped in blocks of 666 bytes by overwriting them with random data, leaving an identically sized block intact, and so on. After it replaces the actual data with garbled data the Azov malware displays a note that looks like a ransom note, but is more like a poem that tells people Kremlin talking points regarding Russia’s war on Ukraine, including the threat of nuclear strikes. Azov also has a component called a logic bomb, which detonates or activates at a predetermined time. Once triggered, the logic bomb iterates over all file directories and executes the wiping routine on each one, except for specific hard-coded system paths and file extensions, thereby corrupting them. Although the Azov sample was considered skidsware when first encountered (likely because of the strangely formed ransom note), when probed further one finds very advanced techniques—manually crafted assembly, injecting payloads into executables in order to backdoor them, and several anti-analysis tricks usually reserved for security textbooks or high-profile brand-name cybercrime tools.