A new dangerous attack designed to intentionally destroy data has emerged & so far appears to be targeting mostly Ukraine interests.
The Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another wiper dubbed “DoubleZero” targeting Ukrainian enterprises during Russia’s invasion of the country. This wiper was detected as early as March 17, 2022. DoubleZero is yet another wiper discovered in addition to previously disclosed attacks we’ve seen in Ukraine over the past two months, such as “CaddyWiper” “HermeticWiper” and “WhisperGate.” DoubleZero is a .NET-based implant that destroys files, registry keys and trees on the infected endpoint.
The wiper will enumerate all file paths and decide if the file is “safe” to destroy immediately i.e., not a system file. For each file that is deemed “safe” to destroy (i.e., not in the exclusions listed above), the wiper will: (1) Change the access control of files by giving the Local System Account (2) Use one of the two wiper functions to destroy the files.