Detect CaddyWiper: Another Destructive Data Wiper to Attack Ukrainian Networks
Table of contents:
Cyberspace is yet another frontier in the Russia-Ukraine war. Russia-backed large-scale сyber-attacks accompany military aggression against Ukraine, aiming to bring key elements of Ukrainian infrastructure offline. The newly spotted CaddyWiper malware adds to a strain of previously revealed cyber threats – HermeticWiper, WhisperGate, and IsaacWiper. The novel data wiping malware does not bear a resemblance to other malware families.
CaddyWiper Detection
To detect this data wiper malware, utilize the following Sigma-based rule provided by our skilled threat hunter Osman Demir:
CaddyWiper – New Destructive Wiper Malware in Ukraine (via file_event)
To reach this Sigma-based detection, log into your current account or sign up for the platform.
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, QRadar, FireEye, LogPoint, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, and Open Distro.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Impact tactic with Disk Wipe (T1561) as the main technique and the Disk Content Wipe (T1561.001) sub-technique.
Apart from the Sigma detection above, you can leverage the YARA rule from our top-tier Threat Bounty developer Antonio Farina:
To detect other vulnerabilities, see the full list of rules available in the Threat Detection Marketplace repository of the SOC Prime Platform. Crafting your own content? Join forces with the world’s largest cyber defense community powered by the Threat Bounty program, and earn a stable income by sharing your detection content.
View Detections Join Threat Bounty
CaddyWiper Analysis
Since the beginning of Russian aggression in 2022, a wave of debilitating cyber-attacks has hit Ukraine aimed to cripple its digital infrastructure and undermine the county’s stability. On March 14, ESET researchers reported a novel data-wiper malware, dubbed CaddyWiper. It was designed to destroy data and partition information from attached drives.
According to the current data, adversaries have succeeded with up to ten hacks of Ukrainian organizations, armed with this strain of data-wiping malware. CaddyWiper deployment cases show one tactical similarity that CaddyWiper and HermeticWiper share: CaddyWiper infiltrated targeted systems through Windows domain controllers. Thus we know that the adversaries were controlling the Active Directory server similar to the recent HermeticWiper attacks. CaddyWiper being deployed avoids erasing data on domain controllers, while allowing the hackers behind the attack to persist and disturb operations. Another detail — the discovered sample was not digitally signed but compiled.
In these turbulent times, one cannot underestimate the importance of efficient cybersecurity practices. Powered by the collaborative cyber defense, SOC Prime curates 2,000+ Sigma-based detections to defend against Russia-backed cyber threats with all the rules now available to hunt for free using the Quick Hunt module. Log into the SOC Prime Platform and drill down to search for related threats with Quick Hunt:
Free hunting content against Russia-originated threats
Join SOC Prime’s Detection as Code platform to boost your threat detection capabilities with the power of industry leaders. Looking for ways to contribute your own detection content and drive collaborative cyber defense? Join forces with SOC Prime’s crowdsourcing initiative to share your Sigma rules with the community, contribute to safer cyberspace, and receive recurring rewards for your valuable input!