Hackers use new SwiftSlicer wiper to destroy Windows domains

Security researchers have identified a latest data-wiping malware they named SwiftSlicer that goals to overwrite crucial files utilized by the Windows operating system.

The brand new malware was discovered in a recent cyberattack against a goal in Ukraine and has been attributed to Sandworm, a hacking group working for Russia’s General Staff Primary Intelligence Directorate (GRU) as a part of the Primary Center for Special Technologies (GTsST) military unit 74455.

Go-based data wiper

While details are scant regarding SwiftSlicer in the mean time, security researchers at cybersecurity company ESET say that they found the destructive malware deployed during a cyberattack in Ukraine.

The name of the goal has not been published, recent Sandworm activity features a data-wiping attack on Ukrinform, Ukraine’s national news agency.

Nevertheless, within the attack that ESET discovered on January 25 the threat actor launched a unique destructive malware called CaddyWiper, previously observed in other attacks on Ukrainian targets [1, 2].

ESET says that Sandworm launched SwiftSlicer using Energetic Directory Group Policy, which allows domain admins to execute scripts and commands throughout all the devices in Windows network.

ESET researchers say that SwiftSlicer was deployed to delete shadow copies and to overwrite critical files within the Windows system directory, specifically drivers and the Energetic Directory database.

The precise targeting of the %CSIDL_SYSTEM_DRIVE%WindowsNTDS folder indicates that the wiper is just not only meant to destroy files but to also bring down the complete Windows domains.

SwiftSlicer data-wiping malware functions
source: ESET

SwiftSlicer overwrites data using 4096 bytes blocks which can be crammed with randomly generated bytes. After completing the info destruction job, the malware reboots the systems, ESET researchers say.

In keeping with the researchers, Sandworm developed SwiftSlicer in Golang programming language, which has been adopted by multiple threat actors for its versatility, and it could possibly be compiled for all platforms and hardware.

Although the malware has been added to the Virus Total database only recently (submitted on January 26), it’s currently detected by greater than half of the antivirus engines present on the scanning platform.

Russia’s destructive malware

In a report today, the Ukrainian Computer Emergency Response Team (CERT-UA) says that Sandworm also tried to make use of five data-destruction utilities on the Ukrinform news agency’s network:

  • CaddyWiper (Windows)
  • ZeroWipe (Windows)
  • SDelete (legitimate tool for Windows)
  • AwfulShred (Linux)
  • BidSwipe (FreeBSD)

The agency’s investigation revealed that SandWorm distributed the malware to computers on the network using a Group Policy Object (GPO) – a algorithm administrators use to configure operating systems, apps, and user settings in an Energetic Directory environment, the identical method also used to execute SwiftSlicer.


Please enter your comment!
Please enter your name here