CaddyWiper a nasty data wiping malware, is being used to target Ukrainian networks in the ongoing Russia Ukraine war.
According to ESET, CaddyWiper was initially observed on March 14 around 9:38 a.m. UTC. Metadata associated with the executable (“caddy.exe“). This indicated that the malware was compiled at 7:19 a.m. UTC, a little over two hours prior to its deployment.
ESET further in a tweet said, “This new malware erases user data and partition information from attached drives. ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.”
If you think it is similar to HermeticWiper (aka FoxBlade or KillDisk) and IsaacWiper (aka Lasainraw), that’s not the case. CaddyWiper does not share any similarities with any previously discovered wipers in Ukraine. Bad actors have been using the two in belonging to government and commercial entities.While both HermeticWiper and IsaacWiper malware families have been developed months ahead of their release, the oldest samples compiled on December 28 and October 19, 2021, respectively. Though CaddyWiper does share a tactical overlap with HermeticWiper, where on being deployed via the Windows domain controller. Just goes to show that the attackers managed to gain control of the Active Directory server.
ESET further added, “Interestingly, CaddyWiper avoids destroying data on domain controllers. This is probably a way for the attackers to keep their access inside the organization while still disturbing operations.”According to Microsoft, “the intended objective of these attacks is the disruption, degradation, and destruction of targeted resources” in the country and have attributed the HermeticWiper attacks to a threat cluster tracked as DEV-0665.
With cybercriminals becoming opportunists and increasingly capitalizing on the conflict to design phishing lures. They are also using themes of humanitarian assistance and various types of fundraising, to deliver a variety of backdoors such as Remcos.
According to Cisco Talos researchers, “The global interest in the ongoing war in Ukraine makes it a convenient and effective news event for cybercriminals to exploit. If a certain topic of lure is going to increase the chances of a potential victim installing their payload, they will use it.”
Earlier last week Trend Micro disclosed details of a .NET-based wiper called RURansom that has exclusively targeted entities in Russia by encrypting the files with a randomly generated cryptographic key.
Trend Micro researchers added, “The keys are unique for each encrypted file and are not stored anywhere, making the encryption irreversible and marking the malware as a wiper rather than a ransomware variant.”