In a nutshell: Safety researchers from ESET have recognized a particular sort of malware known as SwiftSlicer deployed in latest assaults in opposition to Ukrainian targets. SwiftSlicer targets crucial Home windows working system information and Lively Listing (AD) databases. Primarily based on the staff’s findings, the malware can destroy working system sources and cripple total Home windows domains.
The researchers identified the SwiftSlicer malware deployed throughout a cyberattack focusing on Ukrainian expertise shops. The malware ware was written utilizing a cross-platform language known as Golang, higher often called Go, and makes use of an Lively Listing (AD) Group Policy assault vector.
#BREAKING On January twenty fifth #ESETResearch found a brand new cyberattack in ?? Ukraine. Attackers deployed a brand new wiper we named #SwiftSlicer utilizing Lively Listing Group Coverage. The #SwiftSlicer wiper is written in Go programing language. We attribute this assault to #Sandworm. 1/3 pic.twitter.com/pMij9lpU5J
— ESET Analysis (@ESETresearch) January 27, 2023
The announcement notes that the malware recognized as WinGo/Killfiles.C. On execution, SwiftSlicer deletes shadow copies and recursively overwrites information, then reboots the pc. It overwrites the information utilizing 4,096 byte-length blocks comprised of randomly generated bytes. Overwritten information are usually situated within the %CSIDL_SYSTEMpercentdrivers, %CSIDL_SYSTEM_DRIVEpercentWindowsNTDS, and a number of other different non-system drives.
Analysts attributed the wiper-style malware to the Sandworm hacking group, which serves Russia’s Normal Employees Most important Intelligence Directorate (GRU) and Most important Middle for Particular Applied sciences (GTsST). The newest assault is paying homage to the latest HermeticWiper and CaddyWiper outbreaks deployed throughout Russia’s invasion.
Researchers famous that hackers contaminated the targets in all three wiper assaults by way of the identical AD-based vector. The similarities in deployment strategies lead ESET to imagine that the Sandworm actors could have taken management of their goal’s Lively Listing environments previous to initiating the assault.
To say Sandworm has been busy because the Ukraine battle could be an understatement. The Ukrainian Laptop Emergency Response Staff (CERT-UA) not too long ago discovered one other mixture of a number of data-wiping malware packages deployed to the Ukrinform information company’s networks. The malware scripts focused Home windows, Linux, and FreeBSD techniques and contaminated them with a number of malware payloads, together with CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe.
UPDATE: UAC-0082 (suspected #Sandworm) to focus on Ukrinform utilizing 5 variants of harmful software program: CaddyWiper, ZeroWipe, SDelete, AwfulShred, BidSwipe.
Particulars: https://t.co/vFIiRvXm0u (UA solely)
— CERT-UA (@_CERT_UA) January 27, 2023
In keeping with CERT-UA, the assaults had been solely partially profitable. Considered one of Sandworm’s listed malware packages, CaddyWiper, was additionally found in a failed assault that focused considered one of Ukraine’s largest power suppliers in April of 2022. Researchers at ESET helped throughout that assault by working with CERT-UA to remediate and defend the community.
