CaddyWiper: More destructive wiper

malware strikes Ukraine

The wiper avoids domain controllers to stay under the radar.

Written by Charlie Osborne, Contributing Writer on March 15, 2022







must read

Small business needs a different sort of software developer

Read now 

Researchers have uncovered a new form of wiper malware being used in assaults
against Ukrainian organizations. 

ukraine crisis
 Coding inside a war zone
 How you can help: Donation sites and resources
 Ukrainian police take down phishing gang behind payments scam
 International Refugee Assistance Project partners with Rosetta Stone to aid
refugees

On March 14, ESET published a Twitter thread documenting the malware, dubbed

CaddyWiper, that was compiled on the same day it was deployed to target networks. 

The wiper -- the third discovered in as many weeks by the cybersecurity firm -- has
been detected "on a few dozen systems in a limited number of organizations,"
according to ESET.

CaddyWiper is wiper malware, malicious code specifically designed to damage target

systems by erasing user data, programs, hard drives, and in some cases, partition
information. 

Unlike ransomware, Trojans, and other common malware variants, wipers are not
focused on theft or financial gain -- but rather, they erase everything in their path for
purely destructive purposes. 

The new wiper follows this pattern by wiping out user data and partition information.
However, ESET says that CaddyWiper does avoid erasing information on domain
controllers. 

"This is probably a way for the attackers to keep their access inside the organization
while still disturbing operations," the team said. 

In cases detected so far, CaddyWiper has been spread through Microsoft Group Policy
Objects (GPOs), and in one example, a network's default GPO was abused to spread
the malware -- and this suggests that the attackers had already obtained access to
Active Directory services prior to the deployment of CaddyWiper.

ESET noted that CaddyWiper does not share any "significant" code similarities with
HermeticWiper or IsaacWiper, however, two other wiper strains found by the firm in
recent weeks. 

HermeticWiper has impacted hundreds of machines belonging to Ukrainian

organizations and abuses drivers for its data-destroying activities. IsaacWiper, found in
a Ukrainian government network, also contains worm-like capabilities and ransomware
features. 

The Computer Emergency Response Team for Ukraine (CERT-UA) has requested that
organizations in the country suspecting CaddyWiper infiltration report such incidents. 

Microsoft first warned of the use of wiper malware against Ukraine in January, prior to
Russia's invasion. The country has also experienced a Distributed Denial-of-Service
(DDoS) attack, launched against government services and banks, leading to calls for
a volunteer "IT army" to protect Ukraine's critical infrastructure.