Azov first came to the attention of the information security community as a payload of the SmokeLoader botnet, commonly found in fake pirated software and crack sites.
One thing that sets Azov apart from your garden-variety ransomware is its modification of certain 64-bit executables to execute its own code. The modification of executables is done using polymorphic code, so as not to be potentially foiled by static signatures, and is also applied to 64-bit executables, which the average malware author would not have bothered with.
Technical Analysis: Highlights:
- Manually crafted in assembly using FASM
- Using anti-analysis and code obfuscation techniques
- Multi-threaded intermittent overwriting (looping 666 bytes) of original data content
- Polymorphic way of backdooring 64-bit “.exe” files across the compromised system “logic bomb” set to detonate at a certain time.
- No network activity and no data exfiltration
- Using the SmokeLoader botnet and trojanized programs to spread
- Effective, fast, and unfortunately unrecoverable data wiper
Deconstructing Azov: Sophisticated Wiper