March 29, 2023  — 
MSP Threats Security Team

SwiftSlicer: A simple yet dangerous data wiper

On January 25, 2023, ESET Research found a new data wiper in the network of Ukrinform, Ukraine’s national news agency. Later, the Computer Emergency Response Team of Ukraine (CERT-UA) added that as of January 27, five additional, different malware samples were spotted in the network.

These attacks were attributed to the Sandworm APT group, which was active from 2014. Sandworm is responsible for Industroyer, NotPetya, WhisperGate, CaddyWiper, IsaacWiper and other disruptive malware.

Technical details

Overview

The analyzed SwiftSlicer sample (SHA256:1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690) was written in the Go programming language, and has a fake compilation timestamp. This sample is not packed or obfuscated.

Acronis

Execution

Although the SwiftSlicer sample has over 1,800 functions, the wiping preparation and routine are easily located within functions with the ‘main_’ prefix.

Acronis

SwiftSlicer probably took its name from the ‘slice’ data type in Go. It has a bunch of functions to work with slices, which are used during execution to store data.

Acronis

Execution starts from the ‘main_main’ function. First, SwiftSlicer calls ‘main_paths()’ to obtain the System folder path.

Acronis

Besides the System folder, it also obtains some information about the system, user and other system paths.

Acronis

SwiftSlicer then obtains all available volumes’ path names. The System volume will be marked as ‘HOMEDRIVE’.

Acronis

Before starting the wiping routine, SwiftSlicer obtains some privileges. This particular operation requires administrative privileges and uses the ‘AdjustTokenPrivileges’ system call.

Acronis

After this operation has completed, SwiftSlicer’s process has the following privileges:

Acronis

It then deletes all shadow copies using the ‘wmic.exe’ process.

Acronis

Executed command:

Acronis

SwiftSlicer then starts searching for files to wipe. After reading the file on the logical drive, it checks whether it is a folder. If so, it reads its’ subfolders names.

Acronis

After that, it generates its’ full path and saves it in the memory.

Acronis

If the current folder doesn’t contain any folders, SwiftSlicer loads the 'main_walkFunk()’ function to the register and calls it.

Acronis

SwiftSlicer corrupts every file on the computer. The first-opened drive is not the System drive, allowing the malware to corrupts users’ files before it breaks the system’s workability. On the System drive, the first folder read is ‘C:\Windows\SysWOW64\drivers’. After listing all directories in this folder, SwiftSlicer loads the first driver file and calls the wipe function.

Acronis

After obtaining access to the file, SwiftSlicer checks its size.

Acronis

Then, it randomly generates a 128-byte buffer.

Acronis

This buffer is given as an argument to the ‘os__ptr_File_WriteAt()’ function, where it can be expanded up to 4096 bytes or to the file size.

Acronis

Depending on the file’s size, SwiftSlicer starts overwriting it. If the file is smaller than 4096 bytes, the wiper makes one iteration, writing a buffer equal to the file size. If the file is larger than 4096 bytes, it is divided into chunks and then overwritten. Each buffer has different content.

Acronis

Here is an example of how it overwrites a large file, making the offset for 4096 bytes after writing the previous buffer. The size of the last buffer depends on the file’s remaining size.

Acronis

The result is shown below:

Acronis

At the end of execution, it reboots the system using the ExitWindowsEx() call.

Acronis

Conclusion

The Sandworm APT group continues to develop disruptive malware and deploy it on different networks. Their new SwiftSlicer malware wipes all users’ files on the system, as well as system files such as drivers.

The whole corruption process was not particularly fast, because SwiftSlicer has only one thread, which enumerates files, loads and overwrites them. As a result, the process can be spotted early, before it corrupts the System drive.

Still, without good cybersecurity tools, some files could be corrupted and lost even if the malware was spotted and its execution terminated, as SwiftSlicer deletes all shadow copies at the start of execution.

Detected by Acronis

Acronis

IoCs

Files

SHA256
1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690