CaddyWiper is fourth new malware linked to Ukraine war

Security researchers have discovered another destructive data wiper malware being used in cyber attacks on organisations located in Ukraine, as Russian dictator Vladimir Putin’s attack on the country enters its third week.

CaddyWiper is the fourth data wiper so far linked to the war on Ukraine – and the third to be found by analysts at Slovakia-based ESET, which previously reported on two new malwares, dubbed HermeticWiper and IsaacWiper. The first was WhisperGate, which was used in attacks on Ukrainian government agencies ahead of the invasion.

ESET said it first detected CaddyWiper at 9.38am UK time on Monday 14 March 2022. It destroys user data  and partition from attached drives, and so far has been seen on several dozen systems at a limited number of organisations. ESET products detect it as Win32/KillDisk.NCX.

The analysts said CaddyWiper appears to bear no major coding similarities to either of its predecessors, although it has evidence that, in common with HermeticWiper, its users had infiltrated their victims’ networks long before deploying it, although its portable executable (PE) header suggests it was compliled on the same day it was deployed.

Also, unlike its predecessors, the CaddyWiper sample ESET analysed lacked a digital signature.

Nasser Fattah, chair of the North America steering committee at risk management specialist Shared Assessments, commented: “As expected, destructive malware will be the de facto type of malware during the eastern European conflict because it is designed to not only make targeted technologies inoperable, but also unrecoverable. 

“The goal is to destroy the underlying technology that supports critical business functions. Here the destructive malware is politically driven where complete system disruption can cause great financial harm, as well as significant human casualties – think water purification systems ceasing to work or hospitals not having electricity.”

Rajiv Pimplaskar, CEO of Dispersive Holdings, a specialist in hardened virtual private networks (VPNs), added: “A key vector of attack for malware incursions is exploring network vulnerabilities. Typical private as well as public cloud infrastructures make it reasonably easy for sophisticated threat actors to identify resources and data flows of interest, which makes it possible to intercept them via a man-in-the-middle [MITM] attack as well as conduct various operations including capturing the shared secret exchange.

“Enterprises and governments should look at a managed attribution model which obfuscates high-value data flows in transit as well as endpoints from underlying, and potentially unfriendly, network resources, making it virtually impossible to detect, let alone intercept, sensitive data.”

Given that the cyber attack tactics, techniques and procedures used by nation states have a predictable tendency to trickle down into the hands of cyber criminals, Peter Stelzhamer, co-founder of AV-Comparatives, an Austria-based antivirus tool comparison specialist, said it was important for enterprises and consumers alike to safeguard themselves.

He advised users to keep antivirus software protections up to date and switched on; to keep operating systems patched and updated, likewise for third-party applications; and to back up all files and software.