The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

CaddyWiper

Mar 21, 2022 10:45:31 AM / by PolySwarm Tech Team

Threat Bulletin - Images_Blog

Background

Since January, Ukraine has been targeted by several wiper malware families. In early February, we reported on the WhisperGate wiper. Earlier this month we spotlighted HermeticWiper and IsaacWiper. Ukraine was recently under attack by yet another wiper malware. ESET announced the discovery of CaddyWiper on March 14th in a tweet. Cisco Talos followed up a day later with more information on this malware.

What is CaddyWiper?

CaddyWiper, which targets Windows systems, is a compact MBR wiper malware with a compiled size of only 9KB. CaddyWiper was compiled on March 14th, the same day it was deployed. It appears the malware was deployed via GPO (Group Policy Object), an Active Directory component used to define rules for users, endpoints, groups, and organizations. GPOs can be used to establish security settings, install applications, run scripts, and configure the registry.

Before destroying files, CaddyWiper checks whether the machine is a domain controller. If the machine is a domain controller, CaddyWiper does not execute. Otherwise, CaddyWiper destroys files in the Users directory and wipes files on drives C:\ - Z:\, including any network mapped drive attached to the system. The file destruction algorithm has two stages. The first stage overwrites files, and the second destroys the physical disk layout, including the MBR and partition tables.

IOCs

PolySwarm has multiple samples of CaddyWiper.

f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902

b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7

ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72

1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176

a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea

You can use the following CLI command to search for all CaddyWiper samples in our portal:

$ polyswarm link list -f CaddyWiper

You can use the following CLI command to search for all Ukraine related samples in our portal:

$ polyswarm link list -t Ukraine 


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Ukraine, Threat Bulletin, Wiper, CaddyWiper

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts