According to ESET telemetry, it was detected on a few dozen systems in a small number of businesses. This new malware erases user data and partition information from associated drives.
ESET, a slovak cybersecurity firm, named the third wiper “CaddyWiper,” which it first saw on March 14 at 9:38 a.m. UTC. The virus was compiled at 7:19 a.m. UTC, little over two hours before it was deployed, according to metadata associated with the executable (“caddy.exe”).
CaddyWiper stands out to other wipers identified in Ukraine, such as HermeticWiper (aka FoxBlade or KillDisk) and IsaacWiper (aka Lasainraw), both of which have been found in systems belonging to government and commercial entities.
The newly found wiper has a tactical overlap with HermeticWiper in that it was distributed through the Windows domain controller in one instance, indicating that the attackers had gained control of the Active Directory server. CaddyWiper does not destroy data on domain controllers.
The HermeticWiper attacks are linked to a threat cluster known as DEV-0665 and the “intended goal of these attacks is the interruption, deterioration and destruction of selected resources” in the country.
According to Cisco Talos researchers, “They will employ a given topic of bait if it will boost the odds of a potential victim installing their payload. The current crisis in Ukraine is a convenient and effective news event for cybercriminals to exploit.”
The development comes as cybercriminals have increasingly taken advantage of the war to create hacking that include themes of humanitarian aid and various sorts of donations in order to deploy backdoors like Remcos.
Last week, cybersecurity firm Trend Micro revealed information of RURansom, a.NET-based wiper that encrypts files with a randomly generated cryptographic key and has only targeted companies in Russia. Wiper attacks have hit countries all throughout the world, not only Ukraine.
Finally the researchers concluded that ,” The keys are unique for each encrypted file and are not saved anywhere. This makes the encryption irreversible and distinguishes the virus as a wiper rather than a ransomware variation.”