Researchers identify new malware to wipe data in cyberattack on Ukraine
In a nutshell: Security researchers at ESET have identified a specific type of malware called SwiftSlicer that has been used in recent attacks against Ukrainian targets. SwiftSlicer targets critical Windows operating system files and Active Directory (AD) databases. According to the team’s findings, malware can destroy operating system resources and bring down entire Windows domains.
Researchers identified SwiftSlicer malware deployed during a cyberattack on Ukrainian tech stores. The malware was written using a cross-platform language called Golang, better known as Go, and uses Active Directory (AD) Group Policy attack vector.
#VIOLATION The 25th of January #ESETResearch discovered a new cyber attack in 🇺🇦 Ukraine. The attackers deployed a new viper, which we named #SwiftSlicer using Active Directory Group Policy. #SwiftSlicer Wiper is written in the Go programming language. We associate this attack with #sandworm. 1/3 pic.twitter.com/pMij9lpU5J
— ESET Research (@ESETresearch) January 27, 2023
The message notes that the malware identified as WinGo/Killfiles.C. When executed, SwiftSlicer removes shadow copies and recursively overwrites files, then restarts the computer. It overwrites data using 4096 byte blocks of randomly generated bytes. The overwritten files are usually found on the %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS, and some other non-system drives.
Analysts have linked Wiper-type malware to the Sandworm hacker group, which serves the Main Intelligence Directorate of the General Staff (GRU) and the Main Center for Special Technologies (GTSST). The latest attack is reminiscent of the recent Sealed Janitor and CaddyViper outbreaks deployed during the Russian invasion.
The researchers noted that hackers infected targets in all three Wiper attacks through the same AD-based vector. The similarity in deployment methods leads ESET to believe that Sandworm actors may have taken control of their target’s Active Directory environments prior to the attack.
To say that Sandworm has been busy since the Ukrainian conflict would be an understatement. Ukrainian Computer Incident Response Team (CERT-UA) recently discovered another combination of several malicious data deletion packages deployed in the networks of the news agency Ukrinform. The malware scripts targeted Windows, Linux, and FreeBSD systems and infected them with several payloads, including CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe.
UPDATE: UAC-0082 (suspected #sandworm) to attack Ukrinform using 5 types of destructive software: CaddyWiper, ZeroWipe, SDelete, AwfulShred, BidSwipe.
Details: https://t.co/vFIiRvXm0u (Ukraine only)
— CERT-UA (@_CERT_UA) January 27, 2023
According to CERT-UA, the attacks were only partially successful. One of the malicious Sandworm packages, CaddyWiper, was also discovered in a failed attack on one of Ukraine’s largest electricity suppliers in April 2022. ESET researchers helped during this attack by working with CERT-UA to patch and secure the network.