This post is also available in:
Cybersecurity company ESET disclosed another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. This wiper is relatively smaller than previous wiper attacks we've seen in Ukraine such as "HermeticWiper" and "WhisperGate," with a compiled size of just 9KB.
The wiper discovered has the same compilation timestamp day (March 14) and initial reports suggest that it was deployed via GPO.
Cisco Talos is actively conducting analysis to confirm the details included in these reports.
The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Our analysis didn't show any indications of persistency, self-propagation or exploitation code.
Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution.
Pseudo-code: CaddyWiper checking for the Domain Controller role of the machine.
If the system is not a domain controller, the wiper will destroy files on "C:\Users," followed by wiping of all files in the next drive letter until it reaches the "Z" drive. This means that the wiper will also attempt to wipe any network mapped drive attached to the system.
File in drives with letters from D:\ overwritten with zeros.
This ensures that the system will not crash due to the wipe of system files.
File wiping algorithm
The file destruction algorithm is composed of two stages: a first stage to overwrite files and another to destroy the physical disk layout and the partition tables along with it. For the file destruction, it takes ownership of the files by modifying their ACL entries after it has obtained the 'SeTakeOwnershipPrivilege'. A file found will then simply be overwritten with zeros.
A file that is larger than 10,485,760 bytes (0xA00000) in size will simply have the first 10,485,760 bytes overwritten with zeros.
File overwritten with a buffer consisting of zeros.
The wiper will then move on to the next drive on the system beginning with the "D" drive. It will recursively gain rights to files on a drive and overwrite them with zeros. This is done for the next 23 drives alphabetically (through "Z:\").
On the second stage, the wiper attempts to set the drive layout of all the physical drives on the system numbered 9 to 0. This will wipe out all extended information about the physical drive's partitions including MBR, GPT and partition entries.
Wiper recursively performing IOCTL_DISK_SET_DRIVE_LAYOUT_EX requests with a zeroed out buffer.
Destroying the start of the files and the partitions tables is a common technique seen on other wipers, and its highly effective in preventing the file recovery.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Firepower Threat Defense (FTD), Firepower Device Manager (FDM), Threat Defense Virtual, Adaptive Security Appliance can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
For guidance on using Cisco Secure Analytics to respond to this threat, please click here.
Meraki MX appliances can detect malicious activity associated with this threat.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs: 59268-59269
The following ClamAV signatures available for protection against this threat: