A glut of wiper malware hits Ukrainian targets

ESET researchers have discovered yet another wiper malware used to target Ukrainian organizations. Dubbed SwiftSlicer, it is thought to be wielded by the Sandworm APT.

Simultaneously, the Ukranian CERT has confirmed that the attackers who recently aimed to disrupting the operation of the National News Agency of Ukraine (Ukrinform) used various wiper malware and one legitimate Windows command line utility to try to “destroy” machines running different operating systems. They believe the Sandworm team was behind it, as well.

Wipers target Ukraine

Fortinet security researcher Geri Révay recently recapped last year’s “explosion” of wiper malware, and made / reiterated a few interesting points:

  • Ransomware can serve as a wiper, if attackers can’t share the decryption key
  • Wipers can masquerade as ransomware
  • Wipers for OT environments are a thing
  • The growth in wiper malware during a conflict is to be expected, as its main function is destruction, and most of the new wipers detected in 2022 were aimed at Ukrainian organizations

Earlier this month, CERT-UA fended off the cyberattack against Ukrinform and limited its destructive effect to some parts of the agency’s information infrastructure – “a limited number of data storage systems,” according to the State Special Communications Service of Ukraine.

“While investigating the attack, the CERT-UA experts learned that the criminals had made an unsuccessful attempt to disrupt user workstations’ normal operation by using CaddyWiper and ZeroWipe destructive malware as well as a legitimate SDelete utility (that they planned to start through “news.bat”). At the same time, a group policy object (GPO) was used for centralized malware dissemination. It enabled creation of corresponding scheduled tasks.”

The attackers also used the AwfulShred and BidSwipe wipers to target Linux and FreeBSD machines.

CERT-UA also mentioned “an element of ICS” that was used by attackers to allow them to remotely access the agency’s information resources, but did not provide more information about it.

The SwiftSlicer wiper

ESET researchers have named another wiper used in a cyberattack in Ukraine SwiftSlicer. They did not name the target of the attack, but shared that it was disseminated via (Active Directory) group policy objects.

“Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer. For overwriting it uses 4096 bytes length block filled with randomly generated bytes,” they noted. Overwriting just parts of those files is enough to make it difficult to restore them.

The wiper was written in Go – a cross-platform programming language – which means researchers could soon start spotting SwiftSlicer versions targeting different operating systems.

Don't miss