Threat Research

Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper – Check Point Research

Securonix

Check Point Research details how Azov ransomware functions as a polymorphic wiper, including its ability to backdoor 64-bit executables and leverage the SmokeLoader botnet for distribution. The analysis notes an advanced, assembly-built payload with anti-analysis techniques and a destructive wiping routine, with thousands of Azov samples detected on VirusTotal. #AzovRansomware #SmokeLoader

Keypoints

  • Azov can modify certain 64-bit executables to execute its own code using polymorphic techniques.
  • Two versions exist (older and newer) with different ransom notes and the .azov file extension for destroyed data.
  • The malware is manually crafted in assembly with FASM and employs anti-analysis and code obfuscation.
  • Azov uses a multi-threaded, intermittent overwriting (666-byte blocks) to wipe data and then appends a new .azov extension.
  • Persistence is achieved by trojanizing system binaries (msiexec.exe or perfmon.exe) and creating a Run key.
  • The backdooring process injects shellcode into 64-bit executables while preserving the original entry point.
  • Distribution leverages the SmokeLoader botnet, with over 17K Azov-related samples on VirusTotal as of late 2022.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – Azov uses anti-analysis and code obfuscation techniques. “Using anti-analysis and code obfuscation techniques.”
  • [T1055] Process Injection – The polymorphic backdooring injects a shellcode blob into 64-bit executables while preserving the PE entry point. “the shellcode start address will be placed at the address of the original Entry Point”
  • [T1485] Data Destruction – The wiping routine overwrites data in blocks until a 4GB limit is reached. “overwrites with random noise … until the hard limit of 4GB is reached”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – Persistence via Run key after trojanizing msiexec.exe or perfmon.exe. “A registry entry at SOFTWAREMicrosoftWindowsCurrentVersionRun is created pointing to the newly created file.”
  • [T1036] Masquerading – Backdooring involves using legitimate system binaries (e.g., msiexec.exe, perfmon.exe) and saving as rdpclient.exe. “trojanizing (similar to the backdooring routine) the 64-bit Windows system binary msiexec.exe or perfmon.exe and saving it as rdpclient.exe.”
  • [T1562.001] Impair Defenses – Anti-analysis techniques are used to hinder analysis. “Using anti-analysis and code obfuscation techniques.”

Indicators of Compromise

  • [File Hash] – Old Azov sample SHA256 and New Azov sample SHA256: b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801, 650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e
  • [Mutex] – Localazov and LocalKasimir_%c
  • [File Name] – rdpclient.exe and perfmon.exe
  • [File Extension] – .azov
  • [Registry Key] – SOFTWAREMicrosoftWindowsCurrentVersionRun

Read more: https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint