Threat Advisory: DoubleZero

The Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another wiper dubbed “DoubleZero” targeting Ukrainian enterprises during Russia’s invasion of the country. This wiper was detected as early as March 17, 2022. DoubleZero is yet another wiper discovered in addition to previously disclosed attacks we’ve seen in Ukraine over the past two months, such as “CaddyWiper” “HermeticWiper” and “WhisperGate.”

DoubleZero is a .NET-based implant that destroys files, registry keys and trees on the infected endpoint.

Cisco Talos is actively conducting analysis to confirm the details included in these reports.

Wiper analysis
The malware first checks if the current endpoint is one of the domain’s controllers. If the endpoint’s name is found, the wiper simply stops executing.

The wiper begins by obtaining the following privileges on the endpoint:

SeTakeOwnershipPrivilege SeRestorePrivilege SeBackupPrivilege SeShutdownPrivilege

It aims to overwrite all files in all drives by destroying all files in all drives except for a specific list of the locations hardcoded in the wiper. The malware intends to destroy non-system files first, then system-related files. Destroying system related files while the overwriting of other files is pending can create

Read More: