Russian-linked Sandworm used yet another wiper malware strain that was dubbed Nico wiper It targeted companies in the Ukrainian energy sector as part of an attack that occurred in October 2022.
“NikoWiper is based on SDelete, Microsoft’s command-line utility used to securely delete files,” cybersecurity firm ESET revealed in its latest APT activity report shared with The Hacker News. bottom.
A Slovak cybersecurity firm said the attack coincided with a missile strike orchestrated by the Russian military that targeted Ukraine’s energy infrastructure, suggesting overlapping objectives.
The disclosure comes just days after ESET attributed Sandworm to a Golang-based data wiper called SwiftSlicer that was deployed against an unnamed Ukrainian entity on January 25, 2023. .
An Advanced Persistent Threats (APT) group affiliated with Russia’s foreign military intelligence agency GRU was also involved in a partially successful attack targeting the state-owned news agency Ukrinform, in which up to five different wipers were installed on compromised machines. has been deployed.
The Ukraine Computer Emergency Response Team (CERT-UA) has identified five wiper variants as CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. The first three of these targeted Windows systems, while AwfulShred and BidSwipe targeted Linux and FreeBSD systems.
The use of SDelete is worth noting. This suggests that Sandworm was experimenting with this utility as a wiper in at least two different instances in order to cause irreparable damage to targeted organizations in Ukraine.
However, ESET malware researcher Robert Lipovsky told The Hacker News that “NikoWiper is another malware.”
Sandworm’s recent campaign not only weaponized SDelete, but also leveraged bespoke ransomware families such as Prestige and RansomBoggs to sneak behind encryption barriers without any option to restore victims’ data. locked.
The effort is the latest sign of the growing use of destructive wiper malware, which is increasingly being adopted as the cyberweapon of choice among Russian hacking crews.
BlackBerry’s Dmitry Bestuzhev told The Hacker News, “Since wipers are targeted weapons, they are not widely used.” are actively working on.”
Sandworm is not alone. Efforts by other Russian government-backed organizations, including APT29, Callisto and Gamaredon, to disable Ukrainian infrastructure via spear-phishing campaigns designed to facilitate backdoor access and credential theft are running in parallel.
According to Recorded Future, which tracks APT29 (aka Nobelium) under the name BlueBravo, this APT is a new compromised malware loader likely used as a lure to deliver a malware loader codenamed GraphicalNeutrino. Connected to infrastructure.
The loader, whose primary function is to deliver follow-on malware, abuses Notion’s API for command and control (C2) communication, as well as the platform’s database capabilities to store victim information and deliver payloads. Stage for download.
In a technical report released last week, the company said: “Countries linked to the Ukraine crisis, particularly those with significant geopolitical, economic or military ties to Russia and Ukraine, are at risk of being targeted. It’s rising,” he said.
The move to Notion, a legitimate note-taking application, has seen APT29 “increasing and continuing use” of popular software services such as Dropbox, Google Drive, and Trello to mix malware traffic and evade detection. I am emphasizing that
No second-stage malware was detected, but ESET, which also discovered a malware sample in October 2022, theorized that it “aimed to acquire and execute Cobalt Strike.”
The findings follow Russia, which said it was the target of a “coordinated attack” in 2022 and faced “unprecedented external cyberattacks” from “intelligence agencies, multinational IT companies and hacktivists.” increase.
As the war between Russia and Ukraine officially enters its 12th month, it remains to be seen how the conflict will evolve in the cyber realm.
“Over the past year, we’ve seen waves of increased activity, including during the post-invasion spring, fall, and quiet summer, but overall there’s been a fairly constant stream of attacks,” Lipovski said. “So one thing we can be sure of is that there will be more cyberattacks.”
