Ukrainian Targets Hit by Another Destructive Malware Variant

Security researchers have discovered yet another destructive malware variant targeting Ukrainian machines, the fourth so far this year.

ESET claimed to have made the find yesterday, noting that the “CaddyWiper” malware was seen on a few dozen systems in a “limited number” of organizations.

The malware, which erases user data and partition information from attached drives, does not share any code similarities with the previous variants discovered by ESET: HermeticWiper and IsaacWiper.

The code was not digitally signed and is not reminiscent of any other malware ESET has detected in the past, the security vendor said.

“Similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand,” it explained in a series of tweets.

“Interestingly, CaddyWiper avoids destroying data on domain controllers. This is probably a way for the attackers to keep their access inside the organization while still disturbing operations.”

After analyzing information in the PE header, ESET determined that the malware was deployed the same day it was compiled.

While HermeticWiper and IsaacWiper were both used in the early days of the Russian invasion, the fourth wiper malware, dubbed “WhisperGate” by Microsoft, was discovered in January.

In related news, the Ukrainian CERT has warned of a new phishing campaign in which the sender impersonates government agencies to trick users into clicking on a booby-trapped link.

The link will take users to a ‘Windows AV update page’ so that they can increase their security, the email claims. In fact, the “BitdefenderWindowsUpdatePackage.exe” will download and run the “one.exe” file from Discord, which is a Cobalt Strike beacon in disguise.

Cobalt Strike is a legitimate pen-testing tool for remote access and lateral movement commonly used by threat actors.

Another executable, “dropper.exe,” leads to the execution of two more payloads, in the form of the GraphSteel backdoor (microsoft-cortana.exe) and GrimPlant backdoor (oracle-java.exe).