{"id":8365,"date":"2023-01-27T12:00:00","date_gmt":"2023-01-27T10:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2023\/01\/27\/swiftslicer-new-destructive-wiper-malware-strikes-ukraine\/"},"modified":"2023-01-27T12:00:00","modified_gmt":"2023-01-27T10:00:00","slug":"swiftslicer-new-destructive-wiper-malware-strikes-ukraine","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2023\/01\/27\/swiftslicer-new-destructive-wiper-malware-strikes-ukraine\/","title":{"rendered":"SwiftSlicer: New destructive wiper malware strikes Ukraine"},"content":{"rendered":"<p>ESET researchers have uncovered a new wiper attack in Ukraine that they attribute to the <a href=\"https:\/\/www.welivesecurity.com\/2022\/03\/21\/sandworm-tale-disruption-told-anew\/\">Sandworm<\/a> APT group.<\/p>\n<p>Dubbed SwiftSlicer, the destructive malware was spotted on the network of a targeted organization on January 25<sup>th<\/sup>. It was deployed through Group Policy, which suggests that the attackers had taken control of the victim\u2019s Active Directory environment.<\/p>\n<p>Some of the wipers spotted by ESET in Ukraine early into Russia\u2019s invasion \u2013 <a href=\"https:\/\/www.welivesecurity.com\/2022\/02\/24\/hermeticwiper-new-data-wiping-malware-hits-ukraine\/\">HermeticWiper<\/a> and <a href=\"https:\/\/www.welivesecurity.com\/2022\/03\/15\/caddywiper-new-wiper-malware-discovered-ukraine\/\">CaddyWiper<\/a> \u2013 were in some instances also planted in the same fashion. The latter was last spotted on the <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ukraine-links-data-wiping-attack-on-news-agency-to-russian-hackers\/\">network of Ukraine\u2019s news agency Ukrinform<\/a> just days ago.<\/p>\n<\/p>\n<blockquote><p><a href=\"https:\/\/twitter.com\/ESETresearch\/status\/1618960022150729728\"><\/a><\/p><\/blockquote>\n<p>SwiftSlicer is detected by ESET products as <a href=\"https:\/\/www.virustotal.com\/gui\/file\/1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690\">WinGo\/KillFiles.C<\/a>. The malware was written in Go, a highly versatile, cross-platform programming language.<\/p>\n<p>When it comes to SwiftSlicer\u2019s method of destruction, ESET researchers had this to say: \u201cOnce executed it deletes shadow copies, recursively overwrites files located in <span>%CSIDL_SYSTEM%drivers, %CSIDL_SYSTEM_DRIVE%WindowsNTDS<\/span> and other non-system drives and then reboots computer. For overwriting it uses 4096 bytes length block filled with randomly generated byte\u201d.<\/p>\n<p>Two months ago, ESET detected a wave of <a href=\"https:\/\/www.welivesecurity.com\/2022\/11\/28\/ransomboggs-new-ransomware-ukraine\/\">RansomBoggs<\/a> ransomware attacks in the war-torn country that were also linked to Sandworm. The campaigns were just one of the latest additions to the long r\u00e9sum\u00e9 of damaging attacks that the group has conducted against Ukraine over the past near-decade. Sandworm&#8217;s track record also includes a string of attacks \u2013 <a href=\"https:\/\/www.welivesecurity.com\/2016\/01\/03\/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry\/\">BlackEnergy<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2018\/10\/17\/greyenergy-updated-arsenal-dangerous-threat-actors\/\">GreyEnergy<\/a> and the first iteration of <a href=\"https:\/\/www.welivesecurity.com\/2022\/06\/13\/industroyer-cyber-weapon-brought-down-power-grid\/\">Industroyer<\/a> \u2013 that targeted energy providers. An <a href=\"https:\/\/www.welivesecurity.com\/2022\/04\/12\/industroyer2-industroyer-reloaded\/\">Industroyer2<\/a> attack was thwarted with help from ESET researchers in April of last year.<\/p>\n<p><span><\/p>\n<p>To learn more about Sandworm&#8217;s campaigns in Ukraine in recent months, head over to <a href=\"https:\/\/www.welivesecurity.com\/2023\/01\/31\/eset-apt-activity-report-t3-2022\/\">ESET APT Activity Report T3 2022<\/a><\/p>\n<p><\/span><\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/2023\/01\/27\/swiftslicer-new-destructive-wiper-malware-ukraine\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sandworm continues to conduct attacks against carefully chosen targets in the war-torn country<\/p>\n","protected":false},"author":5,"featured_media":8366,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2880],"tags":[],"class_list":["post-8365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-security"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8365"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8365\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8366"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}