Security researchers have identified a new data-wiping malware called SwiftSlicer which aims to overwrite important files used by Windows operating system.
The new malware was recently discovered during a cyberattack on a target in Ukraine and was attributed to Sandworm, a hacking group working for the General Staff Intelligence Service (GRU) of the Russian General Staff as part of the Main Center for Special Technologies (GTsST) military unit 74455.
Go-based data eraser
While details about SwiftSlicer are few at the moment, security researchers from cybersecurity firm ESET say they have found the destructive malware deployed during a cyberattack in Ukraine.
The name of the target was not published. Recent Sandworm activity includes a data wipe attack on Ukrinform, Ukraine’s national news agency.
However, in the attack ESET detected on January 25, the threat actor launched another destructive malware called CaddyWiper, which has been previously observed in other attacks against Ukrainian targets [1, 2].
According to ESET, Sandworm launched SwiftSlicer using Active Directory Group Policy, which allows domain administrators to run scripts and commands on all devices in the Windows network.
ESET researchers say SwiftSlicer was used to wipe shadow copies and overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.
The specific targeting of the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS folder indicates that the wiper is intended not only to destroy files, but also to shut down the entire Windows domains.
SwiftSlicer malware functions to wipe data
Source: ESET
SwiftSlicer overwrites data with 4096 byte chunks filled with randomly generated bytes. After completing the data destruction, the malware reboots the systems, say ESET researchers.
According to the researchers, Sandworm developed SwiftSlicer in the Golang programming language, which has been adopted by several threat actors for its versatility and ability to compile for all platforms and hardware.
Although the malware was only recently added to the Virus Total database (submitted on January 26), it is currently detected by more than half of the antivirus engines present on the scanning platform.
Russia’s destructive malware
In a report today, Ukraine’s Computer Emergency Response Team (CERT-UA) says Sandworm also attempted to use five data destruction programs on the Ukrinform news agency’s network:
- Caddy Wiper (Windows)
- ZeroWipe (Windows)
- SDelete (legitimate tool for Windows)
- TerribleShred (Linux)
- BidSwipe (FreeBSD)
The agency’s investigation revealed that SandWorm distributed the malware to computers on the network using a Group Policy Object (GPO) — a set of rules administrators use to configure operating systems, apps, and user settings in an Active Directory environment, the same method used also used to run SwiftSlicer.