Contents:
Researchers discovered a new attack on a Ukrainian target performed by Russian threat actors that used a new wiper malware that compromises the Windows operating system.
SwiftSlicer, as the new malware was named, is attributed to the Sandworm malicious group known to work for the Russian General Staff Main Intelligence Directorate (GRU).
More on the New SwiftSlicer Data-Wiping Malware
On January 25th, researchers discovered the new data-wiper while being deployed in a cyberattack in Ukraine. According to them, threat actors used the Go programming language, which is highly versatile and can be used for different platforms and hardware, to write this malware. SwiftSlicer was submitted to the Virus Total scanning platform`s database on January 26th.
The SwiftSlicer malware was spread employing a Group Policy Object (GPO), which means that the threat actors previously managed to take over the victim’s Active Directory environment. By using Active Directory Group Policy, domain administrators can run scripts and commands on all Windows network devices.
Researchers also discovered that the wiper was used for deleting shadow copies and overwriting critical files in the Windows system directory, namely drivers and the Active Directory database.
Since the wiper’s mission is to target the %CSIDL SYSTEM DRIVE%WindowsNTDS folder, it is obvious that it aims to knock down the entire Windows domains, not only erase files.
According to the cyber researchers:
SwiftSlicer overwrites data using 4096 bytes blocks that are filled with randomly generated bytes. After completing the data destruction job, the malware reboots the systems.
Recent Sandworm Attacks Use 5 Data-Wiping Malware
Sandworm was recently in the spotlight for a data-wiping attack on Ukraine’s national news agency, Ukrinform. On January 17, Ukrinform was compromised by a cocktail of five data-wiping malware strains, the Ukrainian Computer Emergency Response Team (CERT-UA) announced. The 5 malware on the list were:
- CaddyWiper (Windows)
- ZeroWipe (Windows)
- SDelete (legitimate tool for Windows)
- AwfulShred (Linux)
- BidSwipe (FreeBSD)
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.