Ukrainian enterprises hit with the DoubleZero wiper

Ukraine CERT-UA warns of cyberattack aimed at Ukrainian enterprises using the a wiper dubbed DoubleZero.

Ukraine CERT-UA continues to observe malware based attacks aimed at Ukrainian organizations, in a recent alert it warned of attacks employing a wiper dubbed DoubleZero.

The government CERT started observing this campaign on March 17, 2022, threat actors launched spear-phishing attacks using malicious

The archive contains an obfuscated .NET program, experts tracked it as DoubleZero and the analysis revealed it was developed to destroy the infected system.

“On March 17, 2022, the government team responding to computer emergencies in Ukraine CERT-UA discovered several ZIP archives, one of which was called “Virus … extremely dangerous !!!. Zip”. ” reads the advisory published by CERT-UA. “As a result of the analysis, the identified programs are classified as DoubleZero – a malicious destructor program developed using the C # programming language.”

DoubleZero wipe files use two techniques, overwriting their content with zero blocks of 4096 bytes (using FileStream.Write) or using API-calls NtFileOpen, NtFsControlFile (code: FSCTL_SET_ZERO_DATA). 

The malware deletes the following Windows registry HKCU, HKU, HKLM, HKLM \ BCD before shutting down the infected system.

“The activity is tracked by the UAC-0088 identifier and is directly related to attempts to violate the regular mode of operation of information systems of Ukrainian enterprises.” concludes the alert that also reports Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DoubleZero)

[adrotate banner=”5″]

[adrotate banner=”13″]