Threat Advisory: CaddyWiper

Cybersecurity company ESET disclosed another Ukraine-focused wiper dubbed “CaddyWiper” on March 14. This wiper is relatively smaller than previous wiper attacks we’ve seen in Ukraine such as “HermeticWiper” and “WhisperGate,” with a compiled size of just 9KB.

The wiper discovered has the same compilation timestamp day (March 14) and initial reports suggest that it was deployed via GPO.

Cisco Talos is actively conducting analysis to confirm the details included in these reports.

The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Our analysis didn’t show any indications of persistency, self-propagation or exploitation code.

Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution.

Pseudo-code: CaddyWiper checking for the Domain Controller role of the machine.
If the system is not a domain controller, the wiper will destroy files on “C:Users,” followed by wiping of all files in the next drive letter until it reaches the “Z” drive. This means that the wiper will also attempt to wipe any network mapped drive attached to the system.
File in drives with letters from

Read More: