New Destructive Malware Used in Cyberattacks on Ukraine

As the war in Ukraine continues, with reports of the latest devastation in the capital city of Kyiv and a curfew imposed by the local mayor, the battle rages on in cyberspace as well. Security researchers reported yesterday that a new strain of destructive malware has been spotted in multiple Ukrainian networks.

The new malware functions as a wiper, not trying to exfiltrate data or encrypt it as ransomware does. Instead, threatening wiper tools simply delete everything they can and wipe the space clean to prevent data recovery.

CaddyWiper Deletes Files, Partitions

The newly discovered tool has been dubbed CaddyWiper and detailed in a Twitter post by malware researchers. This is the third threatening wiper that has been discovered in the wild in Ukraine since the start of the military conflict in the country. Curiously, it turned out that the CaddyWiper's payload was brand new and compiled on the very same day that it was used to attack systems in Ukraine.

Another interesting detail about the newly launched malware is that while it destroys data and deletes partitions, it does not interfere with domain controllers. Domain controllers are the parts of a network that is responsible for handling authentication requests and accessing the domain resources on a given network. This might imply that the tool is intended to give its operators extended access to the compromised systems, along with the main task of wiping data.

CaddyWiper Spreads to Previously Compromised Networks

The tool abused for spreading CaddyWiper was found to be Microsoft Group Policy Objects or GPOs. However, in at least one instance of a compromised network, its default GPO was used to propagate the malware. This, in itself, suggests that whatever third-party is operating CaddyWiper, had already gained unauthorized access to the network's Active Directory services.

The two previous threatening tools used in recent weeks in cyberattacks against Ukrainian targets were called HermeticWiper and IsaacWiper. Both tools had destructive capabilities but did not share meaningful similarities with the latest CaddyWiper when it comes to code.

Together with the reports of the CaddyWiper tool being used in Ukraine, another cyber attack made headlines, this time directed towards the Russian oil company Rosneft. A German subsidiary of Rosneft was reportedly attacked by the international hacktivist collective known as Anonymous. Reports state that 20TB of data was exfiltrated in the attack. German authorities are investigating the attack. Rosneft Deutschland facilities have not been affected.