New Data-Wiping Malware SwiftSlicer Attributed to Russian Sandworm Group
Cybersecurity experts have uncovered a new data-wiping malware named SwiftSlicer. It designs to overwrite essential files used by the Windows operating system. The malware came to light during a recent cyberattack in Ukraine. This Russia’s malware has connections to the Russian hacking group, Sandworm, which operates as part of the General Staff Main Intelligence Directorate (GRU). It also operates in the Main Center for Special Technologies (GTsST) military unit 74455.
Go-based Data-Wiping malware
The details about SwiftSlicer are still not clear. According to cybersecurity firm ESET, the destructive malware has its origin during a recent attack in Ukraine. The target organization’s name is not clear yet. However, Sandworm’s previous activities include a data-wiping attack on Ukraine’s national news agency, Ukrinform. In the attack discovered by ESET on January 25th, the threat actor launched a different destructive malware known as CaddyWiper. It has been observed in past attacks on Ukrainian targets.
ESET reports that Sandworm deployed SwiftSlicer using the Active Directory Group Policy. It allows domain administrators to execute scripts and commands across all devices in a Windows network. The malware was all about deleting shadow copies and overwriting crucial files in the Windows system directory. It includes drivers and the Active Directory database. The specific targeting of the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS folder indicates that the malware is meant to destroy files and bring down entire Windows domains.
SwiftSlicer overwrites data using 4096-byte blocks filled with random bytes. Upon completing the data destruction, the malware reboots the system, according to ESET researchers. The malware uses Golang programming language. It has become popular among multiple threat actors for its versatility and ability to be compiled for all platforms and hardware. Although the malware was only recently add to the Virus Total database (submitted on January 26th). It is currently detects by over half of the antivirus engines on the scanning platform.
Russia’s destructive malware
The Ukrainian Computer Emergency Response Team (CERT-UA) has reported that Sandworm also tried to use five data-destruction utilities on the Ukrinform network, including CaddyWiper (Windows), ZeroWipe (Windows), SDelete (legitimate Windows tool), AwfulShred (Linux), and BidSwipe (FreeBSD). The investigation reveals that the malware spread to computers on the network. It is through a Group Policy Object (GPO), a set of rules in use by administrators to configure operating systems, apps, and user settings in an Active Directory environment. The same method was key to executing SwiftSlicer.
The discovery of SwiftSlicer highlights the continuous efforts by Sandworm to carry out destructive attacks on Ukrainian targets. The versatile and destructive nature of the malware, combined with the Active Directory Group Policy, poses a significant threat to Windows networks. Organizations should remain vigilant and implement robust cybersecurity measures to protect against data-wiping malware attacks.
