CaddyWiper: More destructive wiper malware strikes Ukraine

The wiper avoids domain controllers to stay under the radar.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a new form of wiper malware being used in assaults against Ukrainian organizations. 

On March 14, ESET published a Twitter thread documenting the malware, dubbed CaddyWiper, that was compiled on the same day it was deployed to target networks. 

The wiper -- the third discovered in as many weeks by the cybersecurity firm -- has been detected "on a few dozen systems in a limited number of organizations," according to ESET.

CaddyWiper is wiper malware, malicious code specifically designed to damage target systems by erasing user data, programs, hard drives, and in some cases, partition information. 

Unlike ransomware, Trojans, and other common malware variants, wipers are not focused on theft or financial gain -- but rather, they erase everything in their path for purely destructive purposes. 

The new wiper follows this pattern by wiping out user data and partition information. However, ESET says that CaddyWiper does avoid erasing information on domain controllers. 

"This is probably a way for the attackers to keep their access inside the organization while still disturbing operations," the team said. 

In cases detected so far, CaddyWiper has been spread through Microsoft Group Policy Objects (GPOs), and in one example, a network's default GPO was abused to spread the malware -- and this suggests that the attackers had already obtained access to Active Directory services prior to the deployment of CaddyWiper.

ESET noted that CaddyWiper does not share any "significant" code similarities with HermeticWiper or IsaacWiper, however, two other wiper strains found by the firm in recent weeks. 

HermeticWiper has impacted hundreds of machines belonging to Ukrainian organizations and abuses drivers for its data-destroying activities. IsaacWiper, found in a Ukrainian government network, also contains worm-like capabilities and ransomware features. 

The Computer Emergency Response Team for Ukraine (CERT-UA) has requested that organizations in the country suspecting CaddyWiper infiltration report such incidents. 

Microsoft first warned of the use of wiper malware against Ukraine in January, prior to Russia's invasion. The country has also experienced a Distributed Denial-of-Service (DDoS) attack, launched against government services and banks, leading to calls for a volunteer "IT army" to protect Ukraine's critical infrastructure. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards