Threat Research

CaddyWiper Analysis: New Malware Attacking Ukraine

Securonix

CaddyWiper is a Windows wiper that destroys data and wipes drives on Ukrainian infrastructure. It is delivered via Group Policy after compromising Active Directory, and follows WhisperGate, HermeticWiper, and IsaacWiper as the fourth observed in the same period. #CaddyWiper #WhisperGate

Keypoints

  • CaddyWiper targets Ukrainian infrastructure and is the fourth wiper seen in a sequence that began with WhisperGate, followed by HermeticWiper and IsaacWiper.
  • It destroys user data, partitions information from attached drives, and can wipe partitions on multiple drives, potentially rendering systems unusable.
  • The malware is deployed via Group Policy Objects (GPO), indicating initial compromise of the target’s Active Directory server.
  • The attack uses dynamic API loading (PEB-based resolution) to evade static/dynamic scanners.
  • It changes file permissions by taking ownership of files (modifying DACLs) to maximize data destruction.
  • Privilege escalation is used to take ownership (SeTakeOwnershipPrivilege) and set Administrators as the file owner when needed.
  • Partition wiping can occur across multiple physical drives, typically requiring administrator privileges.

MITRE Techniques

  • [T1106] Native API – The malware resolves Windows APIs dynamically via the PEB to evade scanners. “Caddy uses the process environment block (PEB) to resolve the required Windows application programming interface (API). This is to evade static and dynamic scanners.”
  • [T1222] File and Directory Permissions Modification – The wiper changes the DACL of a file object by taking ownership of that object. “The wiper changes the DACL of a file object by taking ownership of that object.”
  • [T1134] Access Token Manipulation – It enables SeTakeOwnershipPrivilege and makes Administrators group the owner of the object. “If the initial attempt to change the DACL fails, the code enables the privilege of ‘SeTakeOwnershipPrivilege.’ It then makes the local system’s administrators group the owner of the object.”
  • [T1485] Data Destruction – It destroys user data and partitions information from attached drives; it wipes up to a 10MB chunk from the beginning of the file. “It destroys user data, partitions information from attached drives… The function wipepath is responsible for the actual wiping process of a file. This function can handle hidden and system files while additionally acquiring discretionary access control to the file in path. It wipes a maximum of a 10MB chunk from the beginning of the file.”
  • [T1490] Inhibit System Recovery – The OS can be rendered useless, especially with admin privileges. “And when CaddyWiper starts with administrator privileges, it makes the operating system useless as well:”
  • [T1078] Valid Accounts – Deployment via GPO after compromise of AD suggests attacker use of valid credentials. “CaddyWiper has been deployed via GPO, suggesting the attackers had initially compromised the target’s Active Directory server.”

Indicators of Compromise

  • [SHA-256] CaddyWiper IOCs – a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea, 1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176 and 4 more hashes

Read more: https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine