Since January, Ukraine has been targeted by several wiper malware families. In early February, we reported on the WhisperGate wiper. Earlier this month we spotlighted HermeticWiper and IsaacWiper. Ukraine was recently under attack by yet another wiper malware. ESET announced the discovery of CaddyWiper on March 14th in a tweet. Cisco Talos followed up a day later with more information on this malware.
What is CaddyWiper?
CaddyWiper, which targets Windows systems, is a compact MBR wiper malware with a compiled size of only 9KB. CaddyWiper was compiled on March 14th, the same day it was deployed. It appears the malware was deployed via GPO (Group Policy Object), an Active Directory component used to define rules for users, endpoints, groups, and organizations. GPOs can be used to establish security settings, install applications, run scripts, and configure the registry.
Before destroying files, CaddyWiper checks whether the machine is a domain controller. If the machine is a domain controller, CaddyWiper does not execute. Otherwise, CaddyWiper destroys files in the Users directory and wipes files on drives C:\ - Z:\, including any network mapped drive attached to the system. The file destruction algorithm has two stages. The first stage overwrites files, and the second destroys the physical disk layout, including the MBR and partition tables.
PolySwarm has multiple samples of CaddyWiper.
You can use the following CLI command to search for all CaddyWiper samples in our portal:
$ polyswarm link list -f CaddyWiper
You can use the following CLI command to search for all Ukraine related samples in our portal:
$ polyswarm link list -t Ukraine