 |
| ESET detects new malware that harms Windows computers |
Information security company ESET has detected a new cyberattack, apparently targeting Ukraine, with the aim of overwriting important files of the Windows operating system.
ESET said in a tweet: “On January 25, #ESETResearch detected a new cyberattack in Ukraine, in which the attackers used Active Directory group policies to deploy a new file-scanning tool we call #SwiftSlicer. #SwiftSlicer was developed in the Go programming language. We attribute this attack to # Sandworm".
Active Directory Group Policy is an important tool in a Windows Active Directory environment that IT administrators can configure. Active Directory group policies define user and computer behavior and permissions.
Also known as Unit 74455, Sandworm is a group of Russian military hackers who work for the General Staff of the Russian Armed Forces. Several other attacks in Ukraine have been attributed to him, including the 2015 power grid attack.
In another tweet, ESET said: “When you run the tool, it repeatedly deletes backups and overwrites files in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS directory and other non-system drives and then restarts your computer.
The programming language (Go) that forms the basis of the attack is valuable to attackers because of its versatility, and many large companies use it for legitimate reasons such as: for example: Google, Twitter, and PayPal.
According to the Ukraine Computer Emergency Response Team, Sandworm launched a number of other attacks in the country, including: five data wiping attacks against the Ukrainian news agency Ukrinform;
A number of strings from CaddyWiper, the data wiping tool used in the attack on Ukrainian news agencies, have been found in several attacks on Ukraine, suggesting the involvement of the Dust Storm group.