{"id":602813,"date":"2023-01-30T07:49:36","date_gmt":"2023-01-30T13:49:36","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/30\/researchers-identify-new-data-wiping-malware-in-cyberattack-against-ukraine\/"},"modified":"2023-01-30T07:49:36","modified_gmt":"2023-01-30T13:49:36","slug":"researchers-identify-new-data-wiping-malware-in-cyberattack-against-ukraine","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/30\/researchers-identify-new-data-wiping-malware-in-cyberattack-against-ukraine\/","title":{"rendered":"Researchers identify new data-wiping malware in cyberattack against Ukraine"},"content":{"rendered":"<p>TechSpot is about to celebrate its 25th anniversary. TechSpot means tech analysis and advice <a href=\"https:\/\/www.techspot.com\/ethics.html\" target=\"_blank\" rel=\"noopener\">you\u00a0can\u00a0trust<\/a>.<\/p>\n<div>\n<p id=\"why-it-matters\"><strong>In a nutshell:<\/strong> Security researchers from ESET have identified a specific type of malware called SwiftSlicer deployed in recent attacks against Ukrainian targets. SwiftSlicer targets critical Windows operating system files and Active Directory (AD) databases. Based on the team&#8217;s findings, the malware can destroy operating system resources and cripple entire Windows domains. <\/p>\n<p>The researchers <a href=\"https:\/\/www.welivesecurity.com\/2023\/01\/27\/swiftslicer-new-destructive-wiper-malware-ukraine\/\">identified<\/a> the SwiftSlicer malware deployed during a cyberattack targeting Ukrainian technology outlets. The malware ware was written using a cross-platform language called Golang, better known as Go, and uses an Active Directory (AD) <a href=\"https:\/\/www.windows-active-directory.com\/benefits-of-group-policy-in-active-directory.html\">Group Policy<\/a> attack vector.<\/p>\n<blockquote data-lazy-function=\"loadTwitter\">\n<p dir=\"ltr\" lang=\"en\"><a href=\"https:\/\/twitter.com\/hashtag\/BREAKING?src=hash&#038;ref_src=twsrc%5Etfw\">#BREAKING<\/a> On January 25th <a href=\"https:\/\/twitter.com\/hashtag\/ESETResearch?src=hash&#038;ref_src=twsrc%5Etfw\">#ESETResearch<\/a> discovered a new cyberattack in ???????? Ukraine. Attackers deployed a new wiper we named <a href=\"https:\/\/twitter.com\/hashtag\/SwiftSlicer?src=hash&#038;ref_src=twsrc%5Etfw\">#SwiftSlicer<\/a> using Active Directory Group Policy. The <a href=\"https:\/\/twitter.com\/hashtag\/SwiftSlicer?src=hash&#038;ref_src=twsrc%5Etfw\">#SwiftSlicer<\/a> wiper is written in Go programing language. We attribute this attack to <a href=\"https:\/\/twitter.com\/hashtag\/Sandworm?src=hash&#038;ref_src=twsrc%5Etfw\">#Sandworm<\/a>. 1\/3 <a href=\"https:\/\/t.co\/pMij9lpU5J\">pic.twitter.com\/pMij9lpU5J<\/a><\/p>\n<p>\u2014 ESET Research (@ESETresearch) <a href=\"https:\/\/twitter.com\/ESETresearch\/status\/1618960022150729728?ref_src=twsrc%5Etfw\">January 27, 2023<\/a><\/p><\/blockquote>\n<p>The announcement notes that the malware identified as <a href=\"https:\/\/www.virustotal.com\/gui\/file\/1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690\">WinGo\/Killfiles.C<\/a>. On execution, SwiftSlicer deletes shadow copies and recursively overwrites files, then reboots the computer. It overwrites the data using 4,096 byte-length blocks comprised of randomly generated bytes. Overwritten files are typically located in the %CSIDL_SYSTEM%drivers, %CSIDL_SYSTEM_DRIVE%WindowsNTDS, and several other non-system drives.<\/p>\n<p>Analysts attributed the wiper-style malware to the Sandworm hacking group, which serves Russia&#8217;s General Staff Main Intelligence Directorate (GRU) and Main Center for Special Technologies (GTsST). The latest attack is reminiscent of the recent <a href=\"https:\/\/www.welivesecurity.com\/2022\/02\/24\/hermeticwiper-new-data-wiping-malware-hits-ukraine\/\">HermeticWiper<\/a> and <a href=\"https:\/\/www.welivesecurity.com\/2022\/03\/15\/caddywiper-new-wiper-malware-discovered-ukraine\/\">CaddyWiper<\/a> outbreaks deployed during Russia&#8217;s invasion.<\/p>\n<p>Researchers noted that hackers infected the targets in all three wiper attacks via the same AD-based vector. The similarities in deployment methods lead ESET to believe that the Sandworm actors may have taken control of their target&#8217;s Active Directory environments prior to initiating the attack.<\/p>\n<p><picture><source type=\"image\/webp\" data-srcset=\"https:\/\/static.techspot.com\/images2\/news\/bigimage\/2023\/01\/2023-01-29-image-8-j_500.webp 500w, https:\/\/static.techspot.com\/images2\/news\/bigimage\/2023\/01\/2023-01-29-image-8-j_1100.webp 1100w, https:\/\/static.techspot.com\/images2\/news\/bigimage\/2023\/01\/2023-01-29-image-8-j.webp 2560w\" data-sizes=\"(max-width: 960px) 100vw, 680px\"><img loading=\"lazy\" decoding=\"async\" height=\"1048\" width=\"2560\" alt src=\"https:\/\/static.techspot.com\/images2\/news\/bigimage\/2023\/01\/2023-01-29-image-8.jpg\" srcset=\"https:\/\/static.techspot.com\/images2\/news\/bigimage\/2023\/01\/2023-01-29-image-8-j_500.webp 500w, https:\/\/static.techspot.com\/images2\/news\/bigimage\/2023\/01\/2023-01-29-image-8-j_1100.webp 1100w, https:\/\/static.techspot.com\/images2\/news\/bigimage\/2023\/01\/2023-01-29-image-8-j.webp 2560w\"  ><\/picture><\/p>\n<p>To say Sandworm has been busy since the Ukraine conflict would be an understatement. The Ukrainian Computer Emergency Response Team (CERT-UA) recently <a href=\"https:\/\/cert.gov.ua\/article\/3718487\">discovered<\/a> another combination of several data-wiping malware packages deployed to the Ukrinform news agency&#8217;s networks. The malware scripts targeted Windows, Linux, and FreeBSD systems and infected them with multiple malware payloads, including CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe.<\/p>\n<blockquote data-lazy-function=\"loadTwitter\">\n<div dir=\"ltr\" lang=\"en\">\n<p>UPDATE: UAC-0082 (suspected <a href=\"https:\/\/twitter.com\/hashtag\/Sandworm?src=hash&#038;ref_src=twsrc%5Etfw\">#Sandworm<\/a>) to target Ukrinform using 5 variants of destructive software: CaddyWiper, ZeroWipe, SDelete, AwfulShred, BidSwipe.<\/p>\n<p>\nDetails: <a href=\"https:\/\/t.co\/vFIiRvXm0u\">https:\/\/t.co\/vFIiRvXm0u<\/a> (UA only)<\/p>\n<\/div>\n<p>\u2014 CERT-UA (@_CERT_UA) <a href=\"https:\/\/twitter.com\/_CERT_UA\/status\/1618983957898592257?ref_src=twsrc%5Etfw\">January 27, 2023<\/a><\/p><\/blockquote>\n<p>According to CERT-UA, the attacks were only partially successful. One of Sandworm&#8217;s listed malware packages, CaddyWiper, was also discovered in a failed attack that targeted one of Ukraine&#8217;s largest energy providers in April of 2022. Researchers at ESET helped during that attack by working with CERT-UA to remediate and protect the network.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.techspot.com\/news\/97421-researchers-identify-new-data-wiping-malware-cyberattack-against.html\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Alejandro Fetzer<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TechSpot is about to celebrate its 25th anniversary. TechSpot means tech analysis and advice you\u00a0can\u00a0trust. In a nutshell: Security researchers from ESET have identified a specific type of malware called SwiftSlicer deployed in recent attacks against Ukrainian targets. SwiftSlicer targets critical Windows operating system files and Active Directory (AD) databases. Based on the team&#8217;s findings<\/p>\n","protected":false},"author":1,"featured_media":602814,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23173,5016,46],"tags":[],"class_list":{"0":"post-602813","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-identify","8":"category-researchers","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/602813","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=602813"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/602813\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/602814"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=602813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=602813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=602813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}