DoubleZero Malware: Behavioral Analysis
Background
On 17 March 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) detected evidence of a new wiper, known now as DoubleZero. According to the CERT-UA report:
It uses two methods to destroy files: overwriting files with zero blocks of 4096 bytes (FileStream.Write method) or using API-calls NtFileOpen, NtFsControlFile (code: FSCTL_SET_ZERO_DATA). First, all non-system files on all disks are overwritten. After that the list of system files on a mask is made, their sorting and the subsequent rewriting in the corresponding sequence is carried out. The following branches of the Windows registry are destroyed: HKCU, HKU, HKLM, HKLM \ BCD. Finally, the computer shuts down.
Analysis
Note: During my analysis, I could not replicate the effects observed by CERT-UA. DoubleZero may check if the device has certain features that tie it to Ukraine.
Below is a basic timeline of windows events generated with the sample.
Imports:
The only import observed was the mscoree.dll file. This dll is statically linked to kernel32.dll, which gives access to the NtFsControlFile function.
Network Activity:
When executing DoubleZero, we observe an initial DNS query for the Domain Controller and then a small LDAP communication. Unfortunately, during PCAP analysis, I could not identify anything meaningful from the LDAP messages.
Interestingly, the malware sample used did open up a UDP port in the ephemeral range. This port was not always the same, and I speculate there may be some algorithmic means for generating the port to bind for that socket. Unfortunately, no traffic was seen being sent to or sent from that port. Later, I may try running the sample on a machine that has a public IP to see if there is any communication. DoubleZero may need a C2 server actually to trigger the wiping effects.
Conclusion
Unfortunately, I was unable to get this sample to actually wipe anything or generate meaningful effects, which leaves much of its behavioral characteristics shrouded in mystery. Next, I’m looking forward to analyzing the new Mustang Panda’s Hodur sample circulating in Europe.
