Background
Since January, Ukraine has been targeted by several wiper malware families. In early February, we reported on the WhisperGate wiper. Earlier this month we spotlighted HermeticWiper and IsaacWiper. Ukraine was recently under attack by yet another wiper malware. ESET announced the discovery of CaddyWiper on March 14th in a tweet. Cisco Talos followed up a day later with more information on this malware.
What is CaddyWiper?
CaddyWiper, which targets Windows systems, is a compact MBR wiper malware with a compiled size of only 9KB. CaddyWiper was compiled on March 14th, the same day it was deployed. It appears the malware was deployed via GPO (Group Policy Object), an Active Directory component used to define rules for users, endpoints, groups, and organizations. GPOs can be used to establish security settings, install applications, run scripts, and configure the registry.
Before destroying files, CaddyWiper checks whether the machine is a domain controller. If the machine is a domain controller, CaddyWiper does not execute. Otherwise, CaddyWiper destroys files in the Users directory and wipes files on drives C:\ - Z:\, including any network mapped drive attached to the system. The file destruction algorithm has two stages. The first stage overwrites files, and the second destroys the physical disk layout, including the MBR and partition tables.
IOCs
PolySwarm has multiple samples of CaddyWiper.
f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902
b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7
ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72
1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176
a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
You can use the following CLI command to search for all CaddyWiper samples in our portal:
$ polyswarm link list -f CaddyWiper
You can use the following CLI command to search for all Ukraine related samples in our portal:
$ polyswarm link list -t Ukraine
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports