Researchers at Israeli cybersecurity firm Check Point shed some light on the inner workings of Azov Ransomware, a wiper designed to corrupt data and “inflict impeccable damage” to compromised systems.

“One thing that sets Azov apart from your garden-variety ransomware is its modification of certain 64-bit executables to execute its own code. Before the advent of the modern-day internet, this behavior used to be the royal road for the proliferation of malware,” Check Point notes in a technical write-up. “Because of this, to this day, it remains the textbook definition of “computer virus” (a fact dearly beloved by industry pedants, and equally resented by everyone else). The modification of executables is done using polymorphic code, so as not to be potentially foiled by static signatures, and is also applied to 64-bit executables, which the average malware author would not have bothered with.”

The researchers said that hundreds of new Azov-related samples are being submitted to VirusTotal every day. As of November 2022, there were more than 17,000 samples observed.

Azov, which has been described as an “effective, fast, and unfortunately unrecoverable data wiper,” is distributed via the “SmokeLoader” botnet. The researchers have to determine the wiper’s origins.

The wiper is manually crafted in assembly using FASM, and uses anti-analysis and code obfuscation techniques. It also has the “logic bomb” mechanism set to detonate at a certain time, but there’s no data exfiltration functionality, Check Point notes.

“Although the Azov sample was considered skidsware when first encountered (likely because of the strangely formed ransom note), when probed further one finds very advanced techniques — manually crafted assembly, injecting payloads into executables in order to backdoor them, and several anti-analysis tricks usually reserved for security textbooks or high-profile brand-name cybercrime tools,” the researchers pointed out.

“The number of already detected Azov-related samples is so large that if there was ever an original target, it has long since been lost in the noise of indiscriminate infections. The only thing we can say with certainty, and what has been confirmed by all this analysis, is that Azov is an advanced malware designed to destroy the compromised system,” they added.