In connection with the Ukraine invasion, CaddyWiper, HermeticWiper, and other data-wiping (wiper) malware were made after WhisperGate. The Ukrainian National Emergency Response Team, CERT-UA, has released information about the new malware, which has been dubbed DoubleZero. According to a CERT-UA announcement, the campaign distributing the malicious code in phishing emails was identified on March 17, 2022. The malicious code was contained in a compressed file called: ”Virus…extremely dangerous!!!. zip” attached to emails.
DoubleZero delete files use two techniques, overwriting their content with 4096 byte zero blocks (using FileStream.Write) or using NtFileOpen, NtFsControlFile API calls (code: FSCTL_SET_ZERO_DATA).
This malware deletes HKCU, HKU, HKLM, HKLM\BCD windows registry before shutting down the system caused, it should be noted that the activity is tracked by the identifier UAC-0088 and is directly related to attempts to violate the regular mode of operation of information systems of Ukrainian companies