September 22, 2023

Ukraine again became a cyber victim of Russia that involved the deployment of a Golang-based data wiper dubbed SwiftSlicer that attributed to the attack of Sandworm

Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

The wiper, once executed it deletes shadow copies, recursively and overwrites the files located in the below paths

  • %CSIDL_SYSTEM%\drivers
  • %CSIDL_SYSTEM_DRIVE%\Windows\NTDS
  • other non-system drives and then reboots computer.

The overwrites are achieved by using randomly generated byte sequences to fill 4,096 byte-length blocks.

The sophistication of the Sandworm threat actor is evidenced by its multiple distinct kill chains, which comprise a wide variety of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Exaramel, and Cyclops Blink.

Last year, while Russia’s military invasion of Ukraine, Sandworm, has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs against critical infrastructure in Ukraine.

The discovery of SwiftSlicer points to the consistent use of wiper malware variants by the Russian adversarial collective in attacks designed to wreak havoc in Ukraine.

Indicators of Compromise

  • 00782ccd65a1e03e3e74ce1e59e752926e0a050818fa195bd7e5a5b359500758
  • e3bc3689f01fd431cd2ed368ae91eceaa7c465c2781fa7b7dc2ec9143a404f79
  • 301b248a8291df6c7f3565a3dac17ee69609f36ef474b4f20eebe134746a9cac
  • e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
  • 246607235d560e90590dcf1b0507ab18de74afcc4429d8d5f3ba97eacc92d73f
  • 185[.]220.101.185
  • 185[.]220.102.244
  • 185[.]220.102.245
  • 185[.]220.102.248
  • 185[.]220.102.250
  • 185[.]220.102.251
  • 45[.]154.98.225
  • 77[.]91.123.136
  • 80[.]67.167.81
  • 194[.]28.172.172
  • 194[.]28.172.81

Leave a Reply

%d bloggers like this: