New Wiper Malware SwiftSlicer Hit Ukraine

Description

FortiGuard Labs is aware of a report that a new wiper malware was used to in recent attacks targeting Ukraine. Dubbed SwiftSlicer, the wiper malware overwrites files in specified directories in the affected machines and deletes shadow copies to prevent file recovery.

Why is this Significant?

This is significant because SwiftSlicer is a new destructive malware used in real attacks. SwiftSlicer overwrites files in attacker specified folders and deletes shadow copies, which makes file recovery difficult.

What is SwiftSlicer?

SwiftSlicer is a wiper malware that is written in Go-language. The malware is designed to overwrite non-system drives as well as files under %CSIDL_SYSTEM%\drivers and %CSIDL_SYSTEM_DRIVE%\Windows\NTDS. It also leverages the Windows Management Instrumentation Command-line (WMIC) tool to delete shadow copies.

Other vendors have attributed SwiftSlicer to Sandworm Team who is believed to be a Russian threat actor responsible for destructive attacks such as NotPetya and Olympic Destroyer and cyber-attacks against the Ukrainian electrical grid in 2015 and 2016.

How Widespread is SwiftSlicer?

As of this writing, there is no report that indicates SwiftSlicer was used to target non-Ukrainian organizations.

What is the Status of Protection?

FortiGuard Labs provides the following AV signature for SwiftSlicer:

• W32/Malicious_Behavior.VEX

Appendix

SwiftSlicer: New destructive wiper malware strikes (ESET)