Hackers Use New SwiftSlicer Wiper To Destroy Windows Domains

Written by Senoria Khursheed ·  1 min read >

Researchers have found a new data-wiping malware used by hackers to destroy Windows domains. Security researchers have named it SwiftSlicer, which aims to overwrite crucial files used by the Windows Operating System.

The new malware has the efficiency in destroying all Windows in just milliseconds. It was discovered in a recent cyber attack faced by Ukraine and has been attributed to Sandworm.

Sandworm is a unit 74455, a cyber military unit of the GRU. GRU is an organization in charge of Russian military intelligence. Moreover, Sandworm is a strain of malware used in Russian cyber-espionage campaigns targeting NATO.

The attack relies on a zero-day vulnerability, fixed in bulletin MS-14-060 of Microsoft’s October 2014 Patch.

Go-Based Data Wiper

Though SwiftSlicer is kept secret by the authorities, security researchers at the cybersecurity firm ESET claim to have discovered the malicious software during a cyber attack in Ukraine. Moreover, the authorities still need to disclose the name. But according to the sources, Sandworm activity includes a data-wiping-attack on Ukrinform, Ukraine’s National News Agency.

In addition, in the attacks the ESET discovered on January 25, the researchers have found different destructive malware called Caddy Wiper involved in other attacks on Ukrainian targets.

According to ESET, Swiftslicer was allegedly launched by Sandworm using Active Directory Group Policy. The policy enables domain administrators to run scripts and commands across all the Windows Network Devices.

Moreover, ESET said that swiftSlicer was used to overwrite and delete critical files in the Windows system directory. The field that SwiftSlicer targets are the drivers and the Active Directory Database, and it delete shadow copies of those files.

Besides, the wiper explicitly targets the destruction of the %CSIDL _System__Drive%\Windows\NTDS folder, indicating that it is also intended to destroy the entire windows domain. As well as including all the main files.

SwiftSlicer is an active and intelligent data-wiping malware that overwrites data using 4096 blocks filled with randomly generated bytes. After completing the data destruction job by overwriting the files, the malware reboots the system.

According to the research, the hackers efficiently made SwiftSlicer in the Golang programming language, which numerous threat actors adopted due to its adaptability and ability to compile all platforms and hardware.

However, over half of the antivirus engines on the scanning platforms have identified the malware, although it was only added to the Virus Total Database.


The Destructive Malware

According to the Ukrainian Computer Emergency Response Team (CERT-UA) , Sandworm also tried to use five data-destruction utilities on the Ukrinform news agency network:

Zero Wipe (Windows)

Caddy Wiper (Windows)

Awful Shred (Linux)

Bid Swipe (Freebase)

SDelete (legitimate tool for Windows)

According to the different intelligence agencies, Sandworm distributed the malware to computers on the network using a Group Policy Object (GPO).
It is the rules administrators use to configure apps, operating systems, and user settings in an active dire Tory environment. The same method goes for SwiftSlicer.

Read more:

Indian Hacking Groups Are Behind Cyber Attacks In Afghanistan And Pakistan

Dehli Cyber Attack:Man Loses Rs 50 Lakh, No OTP Asked Just Missed Calls