30 January 2023

Russian Sandworm hackers hit Ukraine with new destructive wiper


Russian Sandworm hackers hit Ukraine with new destructive wiper

ESET threat research group has discovered a new data wiping malware they dubbed “SwiftSlicer,” designed to overwrite crucial files used by the Windows operating system.

The new malware was spotted on January 25, 2023 in a recent cyberattack targeting an organization in Ukraine. The researchers attributed this malware to the Russia-linked Sandworm threat actor known to have been focused on targets in Ukraine.

ESET notes that SwiftSlicer, which is written in Go programming language, was deployed through Group Policy, suggesting the threat actor hijacked the victim’s Active Directory environment.

“Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer. For overwriting it uses 4096 bytes length block filled with randomly generated byte,” the cybersecurity firm explained.

ESET has identified several Sandworm-linked malware wipers (HermeticWiper, CaddyWiper, IsaacWiper) since the beginning of the Russia’s invasion of Ukraine in last February. According to the Ukrainian Computer Emergency Response Team (CERT-UA), CaddyWiper (Windows) along with ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD) malware was deployed in a recent cyberattack against Ukrainian state news agency Ukrinform.

In November 2022, multiple organizations in Ukraine were hit with a series of attacks deploying a new ransomware strain called “RansomBoggs,” linked to Sandworm.

Back to the list

Latest Posts

Cyber Security Week in Review: June 21, 2024

Cyber Security Week in Review: June 21, 2024

In brief: The US bans Russia’s Kaspersky software, Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days, and more.
21 June 2024
Russian Nobelium hackers  target French diplomatic entities and public orgs

Russian Nobelium hackers target French diplomatic entities and public orgs

Nobelium's tactics involve using hacked legitimate email accounts belonging to diplomatic staff to conduct phishing campaigns.
20 June 2024
Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

The group relies heavily on valid credentials for lateral movement between guest virtual machines on compromised VMware ESXi servers.
20 June 2024