This is the third time in as many weeks that ESET researchers have spotted previously unknown data wiping malware taking aim at Ukrainian organizations.
ESET researchers have uncovered yet another destructive data wiper that was used in attacks against organizations in Ukraine.
Dubbed CaddyWiper by ESET analysts, the malware was first detected at 11.38 a.m. local time (9.38 a.m. UTC) on Monday. The wiper, which destroys user data and partition information from attached drives, was spotted on several dozen systems in a limited number of organizations. It is detected by ESET products as Win32/KillDisk.NCX.
Much like with HermeticWiper, however, there’s evidence to suggest that the bad actors behind CaddyWiper infiltrated the target’s network before unleashing the wiper.
A wiper a week
This is the third time in as many weeks that ESET researchers have spotted a previously unknown strain of data-wiping malware in Ukraine.
On the eve of Russia’s invasion of Ukraine, ESET’s telemetry picked up HermeticWiper on the networks of a number of high-profile Ukrainian organizations. The campaigns also leveraged HermeticWizard, a custom worm used for propagating HermeticWiper inside local networks, and HermeticRansom, which acted as decoy ransomware.
The next day, a second destructive attack against a Ukrainian governmental network started, this time deploying IsaacWiper.
Ukraine in the crosshairs
In January of this year, another data wiper, called WhisperGate, swept through the networks of multiple organizations in Ukraine.
All these campaigns are only the latest in a long string of attacks to have hit high-profile targets in the country over the past eight years. As explored by ESET researchers in a recent webinar and podcast, Ukraine has been on the receiving end of a number of highly disruptive cyberattacks since 2014, including the NotPetya attack that tore through the networks of a number of Ukrainian businesses in June 2017 before spreading beyond the country’s borders.
ESET Research is now offering a private APT intelligence report and data feed. For any inquiries about this new service, or research published on WeLiveSecurity, please contact us at firstname.lastname@example.org.