Yesterday, newly discovered data-destroying malware was seen in attacks targeting Ukrainian enterprises, erasing data across systems on infiltrated networks. ESET Research Labs said this new malware deletes user data and partition information from associated disks. ESET telemetry reveals that it was detected on a few dozen systems in a small number of businesses.
CaddyWiper will employ the DsRoleGetPrimaryDomainInformation() method to verify if a device is a domain controller, despite being meant to erase data across Windows domains. The data on the domain controller will not be removed if this is the case. Attackers most likely employ this strategy to keep access to the infiltrated networks of the companies they target while disrupting operations by deleting other crucial devices.
The PE header of a malware sample detected on the network of an unnamed Ukrainian firm revealed that the malware was deployed in cyberattacks the same day it was created. “CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other malware known to us. The sample we analyzed was not digitally signed,” ESET added. “Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand.”
CaddyWiper is the fourth data wiper virus discovered in assaults in Ukraine since the beginning of 2022, following two others discovered by ESET Research Labs and a third found by Microsoft. On February 23rd, ESET researchers discovered HermeticWiper, a data-wiping malware deployed in conjunction with ransomware decoys to attack Ukraine. They also identified IsaacWiper, a data wiper, and HermeticWizard, a novel worm used by attackers to dump HermeticWiper wiper payloads when Russia invaded Ukraine.
Microsoft also discovered WhisperGate, a wiper employed in data-wiping operations against Ukraine in mid-January while masquerading as ransomware. According to Microsoft President and Vice-Chair Brad Smith, these continuous attacks with harmful software targeting Ukrainian enterprises “have been precisely targeted.”
This contrasts with the indiscriminate NotPetya global malware attack in 2017, which was eventually attributed to Sandworm, a Russian GRU Main Intelligence cyber-threat. As the Ukrainian Security Service (SSU) put it before the conflict, such devastating acts are part of a “massive wave of hybrid warfare.”