ESET Research Labs Specialists discovered a new malware for destroying CaddyWiper data, attacking Ukrainian organizations and deleting data from all systems in compromised networks.
“The new malware erases user data and information from removable disk partitions. Judging by ESET telemetry, it infected several dozen systems in a limited number of organizations,” the researchers reported.
Designed specifically for destroying data on Windows domains, CaddyWiper uses the DsRoleGetPrimaryDomainInformation() function to check whether an infected device is a domain controller, and if it is, data will not be erased from it.
Most likely, this tactic allows attackers to maintain access to compromised networks of organizations and at the same time severely disrupt their work, erasing data from other important devices.
During the analysis of the header of a malicious PE file identified in the network of one of the Ukrainian organizations, the researchers found that the malware was used in the attack on the same day it was compiled.
According to experts, the CaddyWiper code is not similar to the code of HermeticWiper, IsaacWiper or any other known malware. However, like HermeticWiper, it was deployed through group policy objects, which means that hackers already had control over the attacked network in advance.
CaddyWiper is the fourth viper used in attacks on Ukraine since the beginning of 2022. On February 23, the day before the Russian troops entered the country, ESET researchers discovered malware for destroying HermeticWiper data, using a bait-extortionist.
In addition, experts have identified the IsaacWiper viper and the new HermeticWizard worm, which was used on the same day as a dropper for HermeticWiper.
Earlier, Microsoft researchers also discovered a WhisperGate viper disguised as extortionate software and deployed in attacks on Ukrainian organizations in mid-January of this year.