Researchers identify new data-wiping malware in cyberattack against Ukraine

In a nutshell: Security researchers from ESET have identified a specific type of malware called SwiftSlicer deployed in recent attacks against Ukrainian targets. SwiftSlicer targets critical Windows operating system files and Active Directory (AD) databases. Based on the team’s findings, the malware can destroy operating system resources and cripple entire Windows domains.

The researchers identified the SwiftSlicer malware deployed during a cyberattack targeting Ukrainian technology outlets. The malware ware was written using a cross-platform language called Golang, better known as Go, and uses an Active Directory (AD) Group Policy attack vector.

#BREAKING On January 25th #ESETResearch discovered a new cyberattack in ???????? Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programing language. We attribute this attack to #Sandworm. 1/3 pic.twitter.com/pMij9lpU5J

— ESET Research (@ESETresearch) January 27, 2023

The announcement notes that the malware identified as WinGo/Killfiles.C. On execution, SwiftSlicer deletes shadow copies and recursively overwrites files, then reboots the computer. It overwrites the data using 4,096 byte-length blocks comprised of randomly generated bytes. Overwritten files are typically located in the %CSIDL_SYSTEM%drivers, %CSIDL_SYSTEM_DRIVE%WindowsNTDS, and several other non-system drives.

Analysts attributed the wiper-style malware to the Sandworm hacking group, which serves Russia’s General Staff Main Intelligence Directorate (GRU) and Main Center for Special Technologies (GTsST). The latest attack is reminiscent of the recent HermeticWiper and CaddyWiper outbreaks deployed during Russia’s invasion.

Researchers noted that hackers infected the targets in all three wiper attacks via the same AD-based vector. The similarities in deployment methods lead ESET to believe that the Sandworm actors may have taken control of their target’s Active Directory environments prior to initiating the attack.

To say Sandworm has been busy since the Ukraine conflict would be an understatement. The Ukrainian Computer Emergency Response Team (CERT-UA) recently discovered another combination of several data-wiping malware packages deployed to the Ukrinform news agency’s networks. The malware scripts targeted Windows, Linux, and FreeBSD systems and infected them with multiple malware payloads, including CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe.

UPDATE: UAC-0082 (suspected #Sandworm) to target Ukrinform using 5 variants of destructive software: CaddyWiper, ZeroWipe, SDelete, AwfulShred, BidSwipe.

Details: https://t.co/vFIiRvXm0u (UA only)

— CERT-UA (@_CERT_UA) January 27, 2023

According to CERT-UA, the attacks were only partially successful. One of Sandworm’s listed malware packages, CaddyWiper, was also discovered in a failed attack that targeted one of Ukraine’s largest energy providers in April of 2022. Researchers at ESET helped during that attack by working with CERT-UA to remediate and protect the network.