A new data-erasing malware called SwiftSlicer has been discovered by security experts. It tries to erase important Windows operating system files. This new malware was found in a recent cyberattack against a target in Ukraine and has been linked to Sandworm, a hacker collective that is a part of the military unit 74455 of the Main Center for Special Technologies (GTsST), a branch of Russia’s General Staff Main Intelligence Directorate (GRU).
SwiftSlicer is still shrouded in secrecy, but security experts at the cybersecurity firm ESET claim to have discovered the malicious programs during a hack in Ukraine. The target’s identity is unknown, but previous Sandworm activity includes a data-wiping attack on Ukrinform, the country’s news agency. However, the threat actor used a separate damaging malware dubbed CaddyWiper in the assault that ESET found on January 25. This malware had previously been seen in past operations on Ukrainian targets.
SwiftSlicer was allegedly launched by Sandworm employing Active Directory Group Policy, which enables domain administrators to run scripts and commands across all of the Windows network’s devices. According to ESET researchers, SwiftSlicer was used to rewrite and remove essential files in the Windows system directory, including drivers and the Active Directory database, as well as erase shadow copies of those items. The wiper is intended to destroy Windows domains, as evidenced by the wiper’s explicit targeting of the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS folder.
Employing blocks of 4096 bytes, each packed with randomly generated bytes, SwiftSlicer overwrites data. The virus reboots the PCs after finishing the data destruction task, as per ESET experts. SwiftSlicer was created by Sandworm in the Golang programming language, which has been embraced by several threat actors because of its adaptability and ability to be built for all platforms and hardware, said the researchers. Although the malware was only recently introduced to the VirusTotal database (it was reported on January 26), more than half of the antivirus engines available on the scanning platform have already identified it.
According to a recently-released report by the Ukrainian Computer Emergency Response Team (CERT-UA), Sandworm also attempted to use the following five data-destruction tools on the network of the Ukrinform news agency:
- CaddyWiper (Windows)
- ZeroWipe (Windows)
- AwfulShred (Linux)
- BidSwipe (FreeBSD)
- SDelete (a legitimate tool for Windows)
According to the agency’s investigation, SwiftSlicer was also executed by SandWorm using a Group Policy Object (GPO), a collection of guidelines administrators use to modify operating systems, applications, and user settings in an Active Directory environment.