SwiftSlicer: a Malware Developed During Russia-Ukraine War

Researchers at CloudSEK’s Threat Intelligence Team came across a malware strain dubbed ‘Swiftslicer’ linked with APT SandWorm.
Updated on
April 19, 2023
Published on
February 21, 2023
Read MINUTES
Subscribe to the latest industry news, threats and resources.
  • Category: Adversary Intelligence
  • Industry: Multiple   
  • Motivation:State Sponsored 
  • Region: Ukraine
  • Source:A1

Executive Summary

Researchers at CloudSEK’s Threat Intelligence Team came across a malware strain dubbed ‘Swiftslicer’ linked with APT SandWorm.  SwiftSlicer was first discovered in late January 2023 by researchers at ESET and is considered amongst the set of malware groups that were developed to target Ukraine during the Russia-Ukraine war, such as HermeticWiper and CaddyWiper

Open Web Analysis

Based on the tweet by ESET, the malware was planted in the networks of Ukrainian systems using Active Directory Group Policy, which is the likely initial attack vector. However, while writing this report, no organizations outside of Ukraine were known to be targeted by Swiftslicer.

Behavior & Attributions

The following characteristics have been attributed to the Swiftslicer malware:

  • The malware is written in GO language.
  • It attempts to delete the shadow files, which is a known behavior of ransomware groups.
    (Command: wmic shadowcopy delete
  • Drops a binary file in the Desktop directory.
    (C:\Users\Desktop\1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe)

Relation Between Swiftslicer & Sandworm

Sandworm is a known APT group operating actively out of Russia and attributed to General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.

APT Sandworm has been actively targeting carefully chosen industries based in Ukraine. In September 2022, Sandworm deployed malware in telecommunications entities. Their known TTPs also include exploiting Active Directories of the victims. 

Indicators of Compromise (IOCs)

Based on the results from VirusTotal and Triage, the following are the known IOCs for Swiftslicer malware.

MD5

fee7c379f3a555c5c821e872ec384a91

ca9a70777979f218eee7e09edc9633ea

SHA-1

7346e2e29faddd63ae5c610c07acab46b2b1b176

ca9a70777979f218eee7e09edc9633ea

SHA-256

1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690

3da28f7cfbaa400b2bcb191eb6c3d12d41db317185b539bb65ee85d3560c563b

Known AV Signature

W32/Malicious_Behavior.VEX (Fortiguard)


References

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations