Security Experts:

CaddyWiper: Another Destructive Wiper Malware Targeting Ukraine

ESET’s security researchers have identified another data wiper targeting Ukrainian organizations, the third destructive malware identified since Russia began its invasion of the country.

Dubbed CaddyWiper, the threat does not show significant code similarities with known malware families, and has been used only against a small number of organizations.

CaddyWiper, ESET explains, erases user data and partition information, but does not destroy the information stored on domain controllers, thus allowing the attackers to maintain access to the compromised networks.

The newly identified malware is being deployed via default domain policy (GPO), which suggests that the attackers had access to the compromised network prior to executing the malware.

According to ESET, only “a few dozen systems in a limited number of organizations” have been infected with CaddyWiper. The malware is not signed and appears to have been compiled the same day it was deployed and executed, the cybersecurity firm says.

[ READ: CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks ]

Since the beginning of the year, security researchers identified four data wipers targeting organizations in Ukraine, including WhisperGate, HermeticWiper and IsaacWiper.

Microsoft warned of WhisperGate attacks on January 15, but was later revealed that, in some cases, the threat actor behind it had access to the compromised networks since October 2021.

HermeticWiper was executed on infected machines on February 23, the day before Russia started the war in Ukraine, but its operators had access to some of the compromised networks for at least five months.

The wiper was accompanied by HermeticWizard – a worm used to spread HermeticWiper on the local network – and HermeticRansom – ransomware written in Go, likely meant to hide the wiper’s presence.

IsaacWiper was used on February 24 in a destructive attack targeting a Ukrainian governmental network, which had not been affected by HermeticWiper. The wiper might have been used in attacks since October 2021.

The security researchers haven’t attributed any of these malware families to known threat actors.

Related: Russia-Ukraine: Threat of Local Cyber Operations Escalating Into Global Cyberwar

Related: Does the Free World Need a Global Cyber Alliance?

Related: Russian Cyber Restraint in Ukraine Puzzles Experts

view counter