- Category: Adversary Intelligence
- Industry: Multiple
- Motivation:State Sponsored
- Region: Ukraine
Researchers at CloudSEK’s Threat Intelligence Team came across a malware strain dubbed ‘Swiftslicer’ linked with APT SandWorm. SwiftSlicer was first discovered in late January 2023 by researchers at ESET and is considered amongst the set of malware groups that were developed to target Ukraine during the Russia-Ukraine war, such as HermeticWiper and CaddyWiper
Open Web Analysis
Based on the tweet by ESET, the malware was planted in the networks of Ukrainian systems using Active Directory Group Policy, which is the likely initial attack vector. However, while writing this report, no organizations outside of Ukraine were known to be targeted by Swiftslicer.
Behavior & Attributions
The following characteristics have been attributed to the Swiftslicer malware:
- The malware is written in GO language.
- It attempts to delete the shadow files, which is a known behavior of ransomware groups.
(Command: wmic shadowcopy delete)
- Drops a binary file in the Desktop directory.
Relation Between Swiftslicer & Sandworm
Sandworm is a known APT group operating actively out of Russia and attributed to General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.
APT Sandworm has been actively targeting carefully chosen industries based in Ukraine. In September 2022, Sandworm deployed malware in telecommunications entities. Their known TTPs also include exploiting Active Directories of the victims.
Indicators of Compromise (IOCs)
Based on the results from VirusTotal and Triage, the following are the known IOCs for Swiftslicer malware.
- APT Sandworm
- ESET’s discovery of Swiftslicer malware