In connection with the Ukraine invasion, CaddyWiper, HermeticWiper, and other data-wiping (wiper) malware were made after WhisperGate. The Ukrainian National Emergency Response Team, CERT-UA, has released information about the new malware, which has been dubbed DoubleZero. According to a CERT-UA announcement, the campaign distributing the malicious code in phishing emails was identified on March 17, 2022. The malicious code was contained in a compressed file called: ”Virus…extremely dangerous!!!. zip” attached to emails.

DoubleZero delete files use two techniques, overwriting their content with 4096 byte zero blocks (using FileStream.Write) or using NtFileOpen, NtFsControlFile API calls (code: FSCTL_SET_ZERO_DATA).

This malware deletes HKCU, HKU, HKLM, HKLM\BCD windows registry before shutting down the system caused, it should be noted that the activity is tracked by the identifier UAC-0088 and is directly related to attempts to violate the regular mode of operation of information systems of Ukrainian companies


Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *