Security researchers from ESET have discovered a new virus called SwiftSlicer, which was used in recent attacks against targets in Ukraine. SwiftSlicer targets critical Windows operating system files and Active Directory (AD) databases. The virus destroys operating system resources and disables Windows domains.
Researchers have identified the SwiftSlicer malware in a cyberattack on Ukrainian technology stores. The malware was written using a cross-platform language called Golang, better known as Go, and attacks Active Directory group policies.
#BREAKING On January 25th #ESETResearch proposed a new cyberattack in ?? Ukraine. Attackers deployed New wiper we named #SwiftSlicer using Active Directory Group Policy. ##SwiftSlicer wiper is written in Go programming language. We attribute this attack to #Sandworm. 1/3 pic.twitter.com/pMij9lpU5J
— ESET Research (@ESETresearch) January 27, 2023
Eset’s announcement states that the malware is identified as WinGo/Killfiles.C. When executed, SwiftSlicer deletes shadow copies and recursively overwrites files, then restarts the computer. The virus overwrites data using blocks of 4096 bytes long, consisting of randomly generated bytes. Overwritten files are usually located in the path %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and some other non-system resources.
Course
FINANCIAL MANAGER
Become a professional financial manager and earn from $500 in 2 months.
REGISTER!
Analysts have linked the Wiper-type malware to the Sandworm hacking group, which serves the General Intelligence Directorate of the General Staff (GU GSH) and the Main Center for Special Technologies (CGST). The latest attack echoes the recent HermeticWiper and CaddyWiper outbreaks that occurred during the Russian invasion. The specifics of the program’s deployment lead ESET to believe that Sandworm may have gained control of targets’ Active Directory environments before the attack began.
The Ukrainian Computer Emergency Response Team (CERT-UA) recently discovered another combination of several malicious data deletion packages deployed on the networks of the Ukrinform news agency. The malicious scripts targeted Windows, Linux, and FreeBSD and infected them with several viruses, including CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe.
UPDATE: UAC-0082 (suspected #Sandworm) to the Ukrinform list using 5 variants of destructive software: CaddyWiper, ZeroWipe, SDelete, AwfulShred, BidSwipe.
Details: (UA only)
— CERT-UA (@_CERT_UA) January 27, 2023
According to CERT-UA, the attacks were only partially successful. One of Sandworm’s malicious packages, CaddyWiper, was also discovered in a failed attack on one of Ukraine’s largest electricity suppliers in April 2022. ESET researchers helped Ukraine repel this attack by working with CERT-UA to restore and protect the network.
“Cyber criminals have mentioned the topic of COVID-19”. The State Intelligence Service warns about the distribution of e-mails with malicious programs
Source: TechSpot
