Hackers use new SwiftSlicer wiper to destroy Windows domains


Security researchers have identified a new data-wiping malware they named SwiftSlicer that aims to overwrite critical files used by the Windows operating system.

The new malware was discovered in a recent cyberattack against a target in Ukraine and has been attributed to Sandworm, a hacking group working for Russia’s General Staff Main Intelligence Directorate (GRU) as part of the Main Center for Special Technologies (GTsST) military 55 unit 744 .

Go-based data wipers

While details are scant regarding SwiftSlicer at the moment, security researchers at cybersecurity company ESET say that they found the destructive malware deployed during a cyberattack in Ukraine.

The name of the target has not been published, recent Sandworm activity includes a data-wiping attack on Ukrinform, Ukraine’s national news agency.

However, in the attack that ESET discovered on January 25 the threat actor launched a different destructive malware called CaddyWiper, previously observed in other attacks on Ukrainian targets [1, 2].

ESET says that Sandworm launched SwiftSlicer using Active Directory Group Policy, which allows domain admins to execute scripts and commands throughout all of the devices in Windows network.

ESET researchers say that SwiftSlicer was deployed to delete shadow copies and to overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.

The specific targeting of the %CSIDL_SYSTEM_DRIVE%WindowsNTDS folder indicates that the wiper is not only meant to destroy files but to also bring down the entire Windows domains.

SwiftSlicer data-wiping malware functions
source: ESET

SwiftSlicer overwrites data using 4096 bytes blocks that are filled with randomly generated bytes. After completing the data destruction job, the malware reboots the systems, ESET researchers say.

According to the researchers, Sandworm developed SwiftSlicer in Golang programming language, which has been adopted by multiple threat actors for its versatility, and it can be compiled for all platforms and hardware.

Although the malware has been added to the Virus Total database only recently (submitted on January 26), it is currently detected by more than half of the antivirus engines present on the scanning platform.

Russia’s destructive malware

In a report today, the Ukrainian Computer Emergency Response Team (CERT-UA) says that Sandworm also tried to use five data-destruction utilities on the Ukrinform news agency’s network:

  • CaddyWiper (Windows)
  • ZeroWipe (Windows)
  • SDelete (legitimate tool for Windows)
  • Awful Shred (Linux)
  • BidSwipe (FreeBSD)

The agency’s investigation revealed that SandWorm distributed the malware to computers on the network using a Group Policy Object (GPO) – a set of rules administrators use to configure operating systems, apps, and user settings in an Active Directory environment, the same method also used to execute SwiftSlicer.




Source link

Jorge Oliveira

https://www.linkedin.com/in/marketing-online-ireland/ https://muckrack.com/jorge_oliveira

Speed up onboarding with Active Directory user templates

PBC Launches Payments Directory For Cannabis Industry: Here’s How It Works

Application deadline for Kentucky Arts Council Performing Artists Directory is March

Near Me Business Directory Lists Local Dentists of Jacksonville

Why Companies Must Prioritize Back-End Tech Updates—And How To Do It

Textile-to-textile recycling directory to foster connections

Leave a Reply