As Russia’s invasion of Ukraine continues, new wiper malware has surfaced attacking Ukrainian infrastructure. Caddywiper was first detected on March 14, 2022. It destroys user data, partitions information from attached drives, and has been spotted on several dozen systems in a limited number of organizations. CaddyWiper has been deployed via GPO, suggesting the attackers had initially compromised the target’s Active Directory server. Morphisec Labs’ CaddyWiper analysis follows.
CaddyWiper is the fourth wiper observed attacking Ukrainian targets. WhisperGate was the first wiper. It was used in attacks on Ukrainian government agencies ahead of the invasion. WhisperGate was soon followed by HermeticWiper and IsaacWiper, with CaddyWiper the third wiper deployed in as many weeks.
This chart details the CaddyWiper execution flow:
Technical Analysis Main Functionality
If the computer that CaddyWiper was executed on is not a domain controller (DC), the machine won’t be harmed. If it is a PDC, Caddy starts wiping at “C:Users” in order not to break the operating system before the wiping process completes. It then deletes every drive letter from “D:” drive to “Z:”. If Caddy was run with administrator privileges, it also deletes the partition of the physical hard drives to absolutely wreck the