SYMBOLCOMMON_NAMEaka. SYNONYMS
win.caddywiper (Back to overview)

CaddyWiper

aka: KillDisk.NCX

Actor(s): APT28, Sandworm

VTCollection    

CaddyWiper is another destructive malware believed to be deployed to target Ukraine.

CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.

It also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.

References
2024-04-16MandiantAlden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm
2023-11-09MandiantChris Sistrunk, Daniel Kapellmann Zafra, Jared Wilson, John Wolfram, Keith Lunden, Ken Proska, Nathan Brubaker, Tyler McLellan
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
CaddyWiper
2023-07-12MandiantDan Black, Gabby Roncone
The GRU's Disruptive Playbook
CaddyWiper INDUSTROYER2 XakNet
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-15MicrosoftMicrosoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2023-01-27Cert-UACert-UA
Cyber attack on the Ukrinform information and communication system
CaddyWiper
2023-01-24FortinetGeri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar
2022-12-03MicrosoftCliff Watts
Preparing for a Russian cyber offensive against Ukraine this winter
CaddyWiper HermeticWiper Prestige
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-23MandiantMandiant Intelligence
GRU: Rise of the (Telegram) MinIOns
ArguePatch CaddyWiper XakNet
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-05-02AT&TFernando Martinez
Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-12ESET ResearchESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-04-12Cert-UACert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Ireland
Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-12Max Kersten's BlogMax Kersten
Ghidra script to handle stack strings
CaddyWiper PlugX
2022-04-05MorphisecMichael Dereviashkin
New Analysis: The CaddyWiper Malware Attacking Ukraine
CaddyWiper
2022-04-01splunkSplunk Threat Research Team
Threat Update: CaddyWiper
CaddyWiper
2022-03-31eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: CaddyWiper
CaddyWiper
2022-03-26n0p BlogAli Mosajjal
Analysis of a Caddy Wiper Sample Targeting Ukraine
CaddyWiper
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-24NextGovBrandi Vincent
Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper
2022-03-18MalwarebytesThreat Intelligence Team
Double header: IsaacWiper and CaddyWiper
CaddyWiper IsaacWiper
2022-03-17NioGuardNioGuard Security Lab
Analysis of CaddyWiper
CaddyWiper
2022-03-16Cyber Security NewsGurubaran
Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations
CaddyWiper
2022-03-15Twitter (@HackNPatch)HackNPatch
Tweet on Exploring CaddyWiper API resolution
CaddyWiper
2022-03-15SecurityIntelligenceChristopher Del Fierro, John Dwyer
CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CaddyWiper
2022-03-15TRUESECNicklas Keijser
Analysis of CaddyWiper, wiper targeting Ukraine
CaddyWiper
2022-03-15SecurityAffairsPierluigi Paganini
CaddyWiper, a new data wiper hits Ukraine
CaddyWiper
2022-03-15ESET ResearchESET Research
CaddyWiper: New wiper malware discovered in Ukraine
CaddyWiper
2022-03-15The Hacker NewsRavie Lakshmanan
CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks
CaddyWiper
2022-03-15CiscoCisco Talos
Threat Advisory: CaddyWiper
CaddyWiper
2022-03-14Bleeping ComputerSergiu Gatlan
New CaddyWiper data wiping malware hits Ukrainian networks
CaddyWiper
2022-03-14Twitter (@ESETresearch)ESET Research
Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine
CaddyWiper Sunglow Blizzard
2022-03-14CybernewsJurgita Lapienytė
New destructive wiper malware deployed in Ukraine
CaddyWiper
2022-02-28MicrosoftMSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_caddywiper_auto (20241030 | Detects win.caddywiper.)
rule win_caddywiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.caddywiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c6852bffffff50 c6852cffffff72 c6852dffffff69 c6852effffff76 }
            // n = 4, score = 100
            //   c6852bffffff50       | mov                 byte ptr [ebp - 0xd5], 0x50
            //   c6852cffffff72       | mov                 byte ptr [ebp - 0xd4], 0x72
            //   c6852dffffff69       | mov                 byte ptr [ebp - 0xd3], 0x69
            //   c6852effffff76       | mov                 byte ptr [ebp - 0xd2], 0x76

        $sequence_1 = { c68523ffffff77 c68524ffffff6e c68525ffffff65 c68526ffffff72 c68527ffffff73 c68528ffffff68 c68529ffffff69 }
            // n = 7, score = 100
            //   c68523ffffff77       | mov                 byte ptr [ebp - 0xdd], 0x77
            //   c68524ffffff6e       | mov                 byte ptr [ebp - 0xdc], 0x6e
            //   c68525ffffff65       | mov                 byte ptr [ebp - 0xdb], 0x65
            //   c68526ffffff72       | mov                 byte ptr [ebp - 0xda], 0x72
            //   c68527ffffff73       | mov                 byte ptr [ebp - 0xd9], 0x73
            //   c68528ffffff68       | mov                 byte ptr [ebp - 0xd8], 0x68
            //   c68529ffffff69       | mov                 byte ptr [ebp - 0xd7], 0x69

        $sequence_2 = { ff954cf7ffff 8985e0f1ffff 83bde0f1ffffff 7505 e9???????? }
            // n = 5, score = 100
            //   ff954cf7ffff         | call                dword ptr [ebp - 0x8b4]
            //   8985e0f1ffff         | mov                 dword ptr [ebp - 0xe20], eax
            //   83bde0f1ffffff       | cmp                 dword ptr [ebp - 0xe20], -1
            //   7505                 | jne                 7
            //   e9????????           |                     

        $sequence_3 = { c645f26c c645f300 c645f400 c645f500 c645d043 }
            // n = 5, score = 100
            //   c645f26c             | mov                 byte ptr [ebp - 0xe], 0x6c
            //   c645f300             | mov                 byte ptr [ebp - 0xd], 0
            //   c645f400             | mov                 byte ptr [ebp - 0xc], 0
            //   c645f500             | mov                 byte ptr [ebp - 0xb], 0
            //   c645d043             | mov                 byte ptr [ebp - 0x30], 0x43

        $sequence_4 = { c645c06b c645c165 c645c26e c645c350 c645c472 }
            // n = 5, score = 100
            //   c645c06b             | mov                 byte ptr [ebp - 0x40], 0x6b
            //   c645c165             | mov                 byte ptr [ebp - 0x3f], 0x65
            //   c645c26e             | mov                 byte ptr [ebp - 0x3e], 0x6e
            //   c645c350             | mov                 byte ptr [ebp - 0x3d], 0x50
            //   c645c472             | mov                 byte ptr [ebp - 0x3c], 0x72

        $sequence_5 = { 50 8d8db4fbffff 51 e8???????? 83c408 89854cf7ffff }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d8db4fbffff         | lea                 ecx, [ebp - 0x44c]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   89854cf7ffff         | mov                 dword ptr [ebp - 0x8b4], eax

        $sequence_6 = { 8b4df0 51 e8???????? 83c404 8945e8 837de800 0f84dc000000 }
            // n = 7, score = 100
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   0f84dc000000         | je                  0xe2

        $sequence_7 = { e8???????? 83c408 89854cffffff c745fc00000000 c68538ffffff43 c68539ffffff6c c6853affffff6f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   89854cffffff         | mov                 dword ptr [ebp - 0xb4], eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c68538ffffff43       | mov                 byte ptr [ebp - 0xc8], 0x43
            //   c68539ffffff6c       | mov                 byte ptr [ebp - 0xc7], 0x6c
            //   c6853affffff6f       | mov                 byte ptr [ebp - 0xc6], 0x6f

        $sequence_8 = { c6852dffffff69 c6852effffff76 c6852fffffff69 c68530ffffff6c c68531ffffff65 c68532ffffff67 c68533ffffff65 }
            // n = 7, score = 100
            //   c6852dffffff69       | mov                 byte ptr [ebp - 0xd3], 0x69
            //   c6852effffff76       | mov                 byte ptr [ebp - 0xd2], 0x76
            //   c6852fffffff69       | mov                 byte ptr [ebp - 0xd1], 0x69
            //   c68530ffffff6c       | mov                 byte ptr [ebp - 0xd0], 0x6c
            //   c68531ffffff65       | mov                 byte ptr [ebp - 0xcf], 0x65
            //   c68532ffffff67       | mov                 byte ptr [ebp - 0xce], 0x67
            //   c68533ffffff65       | mov                 byte ptr [ebp - 0xcd], 0x65

        $sequence_9 = { c645eb00 c645ec65 c645ed00 c645ee6c }
            // n = 4, score = 100
            //   c645eb00             | mov                 byte ptr [ebp - 0x15], 0
            //   c645ec65             | mov                 byte ptr [ebp - 0x14], 0x65
            //   c645ed00             | mov                 byte ptr [ebp - 0x13], 0
            //   c645ee6c             | mov                 byte ptr [ebp - 0x12], 0x6c

    condition:
        7 of them and filesize < 33792
}
[TLP:WHITE] win_caddywiper_w0   (20220316 | Detects CaddyWiper)
rule win_caddywiper_w0 {
	meta:
		author = "IBM Security X-Force"
		description = "Detects CaddyWiper"
		threat_type = "Malware"
		rule_category = "Malware Family"
		usage = "Hunting and Identification"
		hash = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
		yara_version = "4.0.2"
		date_created = "15 March 22"
        malpedia_rule_date = "20220315"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
		malpedia_version = "20220316"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "DsRoleGetPrimaryDomainInformation" ascii fullword
		$hex1 = {
			C645??43 //'C'
			C645??3A //':'
			C645??5C //'\'
			C645??55 //'U'
			C645??73 //'s'
			C645??65 //'e'
			C645??72 //'r'
			C645??73 //'s'
		}
		$hex2 = {
			C645??44 // 'D'
			C645??65 // 'e'
			C645??76 // 'v'
			C645??69 // 'i'
			C645??63 // 'c'
			C645??65 // 'e'
			C645??49 // 'I'
			C645??6F // 'o'
			C645??43 // 'C'
			C645??6F // 'o'
			C645??6E // 'n'
			C645??74 // 't'
			C645??72 // 'r'
			C645??6F // 'o'
			C645??6C // 'l'
		}
	condition:
		uint16(0) == 0x5A4D and 
		all of them
}
Download all Yara Rules