Ukrainian CERT-UA observes malware-based attacks at Ukrainian organisations, employing a wiper dubbed DoubleZero.
Ukrainian CERT-UA observes malware-based attacks at Ukrainian organisations, employing a wiper dubbed DoubleZero.
On March 17, 2022, the government CERT started observing these campaigns where threat actors launched spear-phishing attacks.
The archive contains an obfuscated .NET program, experts traced it as DoubleZero and the analysis revealed it was developed to destroy the infected system.
On March 17, 2022, the government team responding to computer emergencies in Ukraine CERT-UA discovered several ZIP archives, one of which was called “Virus … extremely dangerous !!!. Zip”. ” states the advisory disclosed by CERT-UA.
“As a result of the analysis, the identified programs are classified as DoubleZero – a malicious destructor program developed using the C # programming language.”
DoubleZero wipe files use two methods, overwriting their content with zero blocks of 4096 bytes or utilizing API-calls NtFileOpen, NtFsControlFile (code: FSCTL_SET_ZERO_DATA).
The malware deletes the following Windows registry HKCU, HKU, HKLM, HKLM BCD before closing down the infected system.
“The activity is tracked by the UAC-0088 identifier and is directly related to attempts to violate the regular mode of operation of information systems of Ukrainian enterprises,” concludes the alert that also reports Indicators of Compromise (IoCs).
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?