Security researchers have identified a new data erasing malware which they named SwiftSlicer which aims to overwrite crucial files used by Windows operating system.

The new malware was discovered during a recent cyberattack on a target in Ukraine and has been attributed to Sandworm, a hacking group working for the Russian General Staff’s Main Intelligence Directorate (GRU) as part of military unit 74455 of the Main Center for Special Technologies (GTsST). .

Go based data eraser

Although details about SwiftSlicer are scarce at this time, security researchers from cybersecurity firm ESET claim to have found the destructive malware deployed in a cyberattack in Ukraine.

The target’s name has not been released, recent Sandworm activity includes a data erasure attack on UkrinformUkrainian National News Agency.

However, in the attack discovered by ESET on January 25, the malicious actor launched another destructive malware called CaddyWiper, previously seen in other attacks against Ukrainian targets. [1, 2].

ESET says Sandworm launched SwiftSlicer using Active Directory Group Policy, which allows domain administrators to run scripts and commands on all Windows network devices.

ESET researchers claim that SwiftSlicer was deployed to delete shadow copies and overwrite critical files in the Windows system directory, in particular drivers and the Active Directory database.

The specific targeting of the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS folder indicates that the wiper is not only intended to destroy files, but also to bring down entire Windows domains.

SwiftSlicer overwrites data using 4096 byte blocks that are filled with randomly generated bytes. After completing the data destruction job, the malware restarts the systems, according to ESET researchers.

According to the researchers, Sandworm developed SwiftSlicer in the Golang programming language, which has been adopted by several threat actors for its versatility, and it can be compiled for all platforms and hardware.

Although the malware was only recently added to the Virus Total database (submitted on January 26), it is currently detected by more than half of the antivirus engines present on the analysis platform.

The destructive malware from Russia

In a report released today, the Computer Emergency Response Team of Ukraine (CERT-UA) states that Sandworm also tried using five data destruction utilities on the network of the Ukrinform news agency:

• CaddyWiper (Windows)
• ZeroWipe (Windows)
• SDelete (legitimate tool for Windows)
• AwfulShred (Linux)
• BidSwipe (FreeBSD)

The agency’s investigation found that SandWorm distributed the malware to computers on the network using a Group Policy Object (GPO) – a set of rules used by administrators to configure computer systems. operating, applications and user settings in an Active Directory environment, the same method also used. to run SwiftSlicer.