Security researchers disclose another data wiper aimed at Ukraine, CaddyWiper.
CaddyWiper Was Compiled Hours Before Deployment
CaddyWiper is a destructive malware discovered by ESET researchers. The wiper was first observed on March 14, around 9:38 UTC, and according to caddy.exe metadata, the malware was compiled two hours before its deployment.
The malware’s capabilities include erasing user data and partition information from attached drives, and it has been deployed against a dozen systems in a limited number of organizations.
It is noteworthy that CaddyWiper has nothing to do with HermeticWiper, another recently disclosed wiper targeted against Ukraine. Its purpose was to destroy victims’ data that belong to government and commercial organizations. HermeticWiper recently targeted some large organizations in Ukraine, affecting at least several hundred machines.
The researchers believe that HermeticWiper has been in development for months prior to being released in the wild, whereas CaddyWiper was compiled and discharged almost simultaneously.
CaddyWiper and HermeticWiper do overlap at one point. In one specific instance, the malware was deployed via Windows domain controller, showing that the cybercriminals had taken over the Active Directory server.
However, CaddyWiper generally avoids destroying data on domain controllers, which is most likely a way for threat actors to keep their access inside the organizations while still agitating operators.
The intended purpose of data wiper attacks are disruption, degradation and destruction of resources targeted in the specific country. Currently, threat actors have been capatalizing on the conflict between Russia and Ukraine to deliver phishing and malware attacks and drop backdoors on compromised systems.