A new malware hits Ukraine, it is a Wiper that deletes data from systems

A new malware hits Ukraine, it is a Wiper that deletes data from systems

A new malware hits Ukraine

Researchers from Eset Research Lab have discovered a new malware called CaddyWiper which has been attacking and infecting Ukrainian systems a few days ago. As you can guess from the name it is a Wiper, a particularly dangerous and destructive malware, as it completely eliminates the data on the infected computer disk; Unlike what happens with ransomware, which encrypt the contents of the disk in the hope that the victim will pay a ransom to obtain the decryption key, wipers have the sole purpose of irreparably damaging the affected systems.

Unfortunately, in this case too, the story seems to be closely linked to the ongoing conflict between Russia and Ukraine, especially considering that this is not the first malware of this type discovered by the team in the last period: the last February 23, a day before the Russian army invaded Ukraine, researchers had identified HermeticWiper, capable of attacking Ukrainian systems. The following day, February 24, another malware called IsaacWiper targeted the country's computers. According to the team, it is very likely that both were developed for several months before being used.

#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine. We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7 pic.twitter.com/gVzzlT6AzN

- ESET research (@ESETresearch) March 14, 2022

It currently appears that the number of computers affected by CaddyWiper is quite low, with the research team only seeing one organization fall victim to it. The team's head of threat research, Jean-Ian Boutin, told The Verge: “We know that if the wiper works, it can render the system useless. However, at this point it is not clear what the real impact of the attack is ".

Latest Data-Wiping Malware To Hit Ukraine Can Also Erase Attached Drives

A new strain of data-wiping malware has been discovered hitting computers in Ukraine with the ability to erase data on the host computer and attached storage devices. 

The antivirus provider ESET first observed the Windows-based malware on Monday and have since dubbed it “CaddyWiper.” The company has so far noticed the malicious code, which is only 9 kilobytes in size, on “a few dozen systems in a limited number of organizations” in Ukraine. 

The culprits behind the malware remain unknown, but ESET said CaddyWiper was installed after the hackers had already compromised the victim’s network. Specifically, the malware was deployed by hijacking the victim’s Group Policy Object, a Microsoft-created component that can help IT administrators manage and configure computers across a corporate network. 

Reportedly, Ukrainian authorities believe the latest strain CaddyWiper has been targeting financial institutions in the country.

Cisco’s Talos security unit has also examined the malware and found it operates by first destroying the files on 'C:\Users,' before targeting the next drive letter until it reaches the 'Z' drive. “This means that the wiper will also attempt to wipe any network mapped drive attached to the system,” Talos said. 

To wipe the data, the malware will overwrite each file and storage partitions with zeros, preventing recovery. However, the malware will refrain from erasing the data if it detects the computer is a domain controller, a server that can respond to authentication requests over the corporate network. 

“This is probably a way for the attackers to keep their access inside the organization while still disturbing operations,” ESET said. 

Surprisingly, CaddyWiper shares no computer code similarities with three other data-wiping malware strains that have attacked Windows computers in Ukraine in recent weeks, according to ESET. Back in January, Microsoft detected the initial strain, dubbed WhisperGate. In February and March, security firms then spotted HermeticWiper, and another called IsaacWiper, spreading across Ukrainian companies as Russia invaded the country. 

The “destructive” malware incidents in Ukraine has sparked the US to warn the same attacks could spill over to hit American companies. US cyber authorities are now urging organizations to harden their IT defenses, which can include running more antivirus scans, keeping software up-to-date, and using multi-factor authentication on all login systems.