The Russia-affiliated Sandworm used yet one more wiper malware pressure dubbed NikoWiper as a part of an assault that passed off in October 2022 concentrating on an power sector firm in Ukraine.
“The NikoWiper relies on SDelete, a command line utility from Microsoft that’s used for securely deleting recordsdata,” cybersecurity firm ESET revealed in its newest APT Activity Report shared with The Hacker News.
The Slovak cybersecurity agency mentioned the assaults coincided with missile strikes orchestrated by the Russian armed forces aimed on the Ukrainian power infrastructure, suggesting overlaps in aims.
The disclosure comes merely days after ESET attributed Sandworm to a Golang-based information wiper dubbed SwiftSlicer that was deployed towards an unnamed Ukrainian entity on January 25, 2023.
The superior persistent menace (APT) group linked to Russia’s overseas army intelligence company GRU has additionally been implicated in {a partially} profitable assault concentrating on nationwide information company Ukrinform, deploying as many as 5 completely different wipers on compromised machines.
The Computer Emergency Response Team of Ukraine (CERT-UA) recognized the 5 wiper variants as CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. The first three of those focused Windows methods, whereas AwfulShred and BidSwipe took goal at Linux and FreeBSD methods.
The use of SDelete is notable, because it means that Sandworm has been experimenting with the utility as a wiper in at the least two completely different situations to trigger irrevocable injury to the focused organizations in Ukraine.
That mentioned, ESET malware researcher Robert Lipovsky advised The Hacker News that “NikoWiper is a distinct malware.”
Besides weaponizing SDelete, Sandworm’s latest campaigns have additionally leveraged bespoke ransomware households, together with Prestige and RansomBoggs, to lock sufferer information behind encryption limitations with none choice to get well them.
The efforts are the newest indication that the usage of harmful wiper malware is on the rise and is being more and more adopted as a cyber weapon of alternative amongst Russian hacking crews.
“Wipers haven’t been used broadly as they’re focused weapons,” BlackBerry’s Dmitry Bestuzhev advised The Hacker News in a press release. “Sandworm has been actively engaged on growing wipers and ransomware households used explicitly for Ukraine.”
It’s not simply Sandworm, as different Russian state-sponsored outfits resembling APT29, Callisto, and Gamaredon have engaged in parallel efforts to cripple Ukrainian infrastructure through spear-phishing campaigns designed to facilitate backdoor entry and credential theft.
According to Recorded Future, which tracks APT29 (aka Nobelium) underneath the moniker BlueBravo, the APT has been related to new compromised infrastructure that is doubtless employed as a lure to ship a malware loader codenamed GraphicalNeutrino.
The loader, whose important operate is to ship follow-on malware, abuses Notion’s API for command-and-control (C2) communications in addition to the platform’s database function to retailer sufferer info and stage payloads for obtain.
“Any nation with a nexus to the Ukraine disaster, significantly these with key geopolitical, financial, or army relationships with Russia or Ukraine, are at elevated threat of concentrating on,” the corporate mentioned in a technical report printed final week.
The shift to Notion, a reputable note-taking utility, underscores APT29’s “broadening however continued use” of widespread software program providers like Dropbox, Google Drive, and Trello to mix malware site visitors and circumvent detection.
Although no second-stage malware was detected, ESET – which additionally discovered a pattern of the malware in October 2022 – theorized it was “aimed toward fetching and executing Cobalt Strike.”
The findings additionally come shut on the heels of Russia stating that it was the goal of “coordinated aggression” in 2022 and that it confronted “unprecedented exterior cyber assaults” from “intelligence businesses, transnational IT companies, and hacktivists.”
As the Russo-Ukrainian struggle formally enters its twelfth month, it stays to be seen how the battle evolves ahead within the cyber realm.
“Over the previous 12 months we’ve seen waves of elevated exercise – resembling within the spring after the invasion, within the fall and quieter months over the summer season – however total there’s been a virtually fixed stream of assaults,” Lipovsky mentioned. “So one factor that we may be certain about is that we are going to be seeing extra cyber assaults.”