in brief: Security researchers at ESET have found a particular kind of malware referred to as SwiftSlicer that was deployed in latest assaults towards targets in Ukraine. SwiftSlicer targets vital Windows working system recordsdata and Active Directory (AD) databases. According to the workforce’s findings, the malware can corrupt working system assets and weaken total Windows domains.
Researchers have recognized the SwiftSlicer malware that was deployed throughout a cyberattack towards Ukrainian know-how shops. The malware is written in a cross-platform language referred to as Golang, higher often called Go, and makes use of the Active Directory (AD) Group Policy assault vector.
#break in January 25 #ESETResearch A brand new cyber assault has been detected in 🇺🇦 Ukraine.The attackers deployed a brand new wiper we named #SwiftSlicer Use Active Directory Group Policy.This #SwiftSlicer The wiper is written within the Go programming language.We attribute this assault to #sandworm.1/3 pic.twitter.com/pMij9lpU5J
— ESET Research (@ESETresearch) January 27, 2023
The bulletin states that the malware was recognized as WinGo/Killfiles.C. On execution, SwiftSlicer deletes shadow copies and recursively overwrites recordsdata, then restarts the pc. It overwrites the info in blocks of size 4,096 bytes consisting of randomly generated bytes. Overwritten recordsdata are often situated in %CSIDL_SYSTEMpercentdrivers, %CSIDL_SYSTEM_DRIVE%WindowsNTDS and several other different non-system drives.
Analysts have attributed the wiper malware to the Sandworm hacker group, which works for the Russian General Staff’s Main Intelligence Directorate (GRU) and Main Special Technology Center (GTsST). The newest assault is harking back to the latest HermeticWiper and CaddyWiper outbreaks deployed through the Russian invasion.
Hackers contaminated targets in all three wiper assaults by way of the identical AD-based vector, the researchers famous. The similarity in deployment strategies leads ESET to imagine that Sandworm actors could have taken management of the goal’s Active Directory setting previous to launching the assault.
To say Sandworm has been busy because the Ukraine battle is an understatement. The Computer Emergency Response Team of Ukraine (CERT-UA) not too long ago found one more mixture of a number of data-wiping malware packages deployed to the community of the Ukrinform information group. The malware script targets Windows, Linux, and FreeBSD techniques and infects them with a number of malware payloads, together with CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe.
Update: UAC-0082 (Suspected #sandworm) used 5 harmful software program variants to assault Ukrinform: CaddyWiper, ZeroWipe, SDelete, AwfulShred, BidSwipe.
Details: (UA solely)
— CERT-UA (@_CERT_UA) January 27, 2023
According to CERT-UA, these assaults had been solely partially profitable. CaddyWiper, considered one of Sandworm’s listed malware packages, was additionally present in a failed April 2022 assault towards considered one of Ukraine’s largest power suppliers. ESET researchers assisted on this assault by working with CERT-UA to restore and safe the community.