A logic bomb built into the code causes Azov to detonate at a predetermined time. Once triggered, the logic bomb iterates over all file directories and executes the wiping routine on each one, except for specific hard-coded system paths and file extensions. As of last month, more than 17,000 backdoored executables had been submitted to VirusTotal, indicating that the malware has spread widely.
Last Wednesday, researchers from security firm ESET disclosed another previously unseen wiper they called Fantasy, along with a lateral movement and execution tool named Sandals. The malware was spread using a supply-chain attack that abused the infrastructure of an Israeli firm that develops software for use in the diamond industry. Over a 150-minute period, Fantasy and Sandals spread to the software maker’s customers engaged in human resources, IT support services, and diamond wholesaling. The targets were located in South Africa, Israel, and Hong Kong.
Fantasy heavily borrows code from Apostle, malware that initially masqueraded as ransomware before revealing itself as a wiper. Apostle has been linked to Agrius, an Iranian threat actor operating out of the Middle East. The code reuse led ESET to attribute Fantasy and Sandals to the same group.
A brief history of wipers
The documentation of Azov, Fantasy, and Sandals, comes days after researchers at security firm Kaspersky detailed CryWiper, a never-before-seen wiper that attacked courts and mayoral offices in Russia.
The wiper discoveries come as this form of destructive malware has grown increasingly common over the past decade. In 2012, a wiper known as Shamoon wreaked havoc on Saudi Arabia’s Saudi Aramco and Qatar’s RasGas. Four years later, a new variant of Shamoon returned and struck multiple organizations in Saudi Arabia.
In 2017, self-replicating malware Russia initially unleashed on Ukraine spread across the globe in a matter of hours. Known as NotPetya, the wiper caused an estimated $10 billion in damage, making it the most costly cyberattack in history. In the past year, a flurry of new wipers has appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.