SYMBOLCOMMON_NAMEaka. SYNONYMS
win.caddywiper (Back to overview)

CaddyWiper

aka: KillDisk.NCX

Actor(s): APT28

VTCollection    

CaddyWiper is another destructive malware believed to be deployed to target Ukraine.

CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.

It also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.

References
2023-11-09MandiantChris Sistrunk, Daniel Kapellmann Zafra, Jared Wilson, John Wolfram, Keith Lunden, Ken Proska, Nathan Brubaker, Tyler McLellan
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
CaddyWiper
2023-07-12MandiantDan Black, Gabby Roncone
The GRU's Disruptive Playbook
CaddyWiper INDUSTROYER2 XakNet
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-15MicrosoftMicrosoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2023-01-27Cert-UACert-UA
Cyber attack on the Ukrinform information and communication system
CaddyWiper
2023-01-24FortinetGeri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar
2022-12-03MicrosoftCliff Watts
Preparing for a Russian cyber offensive against Ukraine this winter
CaddyWiper HermeticWiper Prestige
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-09-23MandiantMandiant Intelligence
GRU: Rise of the (Telegram) MinIOns
ArguePatch CaddyWiper XakNet
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-05-02AT&TFernando Martinez
Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-12ESET ResearchESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-04-12Max Kersten's BlogMax Kersten
Ghidra script to handle stack strings
CaddyWiper PlugX
2022-04-12Cert-UACert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12ESET ResearchESET Ireland
Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-05MorphisecMichael Dereviashkin
New Analysis: The CaddyWiper Malware Attacking Ukraine
CaddyWiper
2022-04-01splunkSplunk Threat Research Team
Threat Update: CaddyWiper
CaddyWiper
2022-03-31eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: CaddyWiper
CaddyWiper
2022-03-26n0p BlogAli Mosajjal
Analysis of a Caddy Wiper Sample Targeting Ukraine
CaddyWiper
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-24NextGovBrandi Vincent
Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper
2022-03-18MalwarebytesThreat Intelligence Team
Double header: IsaacWiper and CaddyWiper
CaddyWiper IsaacWiper
2022-03-17NioGuardNioGuard Security Lab
Analysis of CaddyWiper
CaddyWiper
2022-03-16Cyber Security NewsGurubaran
Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations
CaddyWiper
2022-03-15ESET ResearchESET Research
CaddyWiper: New wiper malware discovered in Ukraine
CaddyWiper
2022-03-15SecurityAffairsPierluigi Paganini
CaddyWiper, a new data wiper hits Ukraine
CaddyWiper
2022-03-15Twitter (@HackNPatch)HackNPatch
Tweet on Exploring CaddyWiper API resolution
CaddyWiper
2022-03-15TRUESECNicklas Keijser
Analysis of CaddyWiper, wiper targeting Ukraine
CaddyWiper
2022-03-15SecurityIntelligenceChristopher Del Fierro, John Dwyer
CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CaddyWiper
2022-03-15The Hacker NewsRavie Lakshmanan
CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks
CaddyWiper
2022-03-15CiscoCisco Talos
Threat Advisory: CaddyWiper
CaddyWiper
2022-03-14Bleeping ComputerSergiu Gatlan
New CaddyWiper data wiping malware hits Ukrainian networks
CaddyWiper
2022-03-14Twitter (@ESETresearch)ESET Research
Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine
CaddyWiper Sunglow Blizzard
2022-03-14CybernewsJurgita Lapienytė
New destructive wiper malware deployed in Ukraine
CaddyWiper
2022-02-28MicrosoftMSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_caddywiper_auto (20230808 | Detects win.caddywiper.)
rule win_caddywiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.caddywiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8345b404 66837dac00 75c4 c745a800000000 }
            // n = 4, score = 100
            //   8345b404             | add                 dword ptr [ebp - 0x4c], 4
            //   66837dac00           | cmp                 word ptr [ebp - 0x54], 0
            //   75c4                 | jne                 0xffffffc6
            //   c745a800000000       | mov                 dword ptr [ebp - 0x58], 0

        $sequence_1 = { c68592feffff64 c68593feffff00 c68594feffff76 c68595feffff00 c68596feffff61 c68597feffff00 }
            // n = 6, score = 100
            //   c68592feffff64       | mov                 byte ptr [ebp - 0x16e], 0x64
            //   c68593feffff00       | mov                 byte ptr [ebp - 0x16d], 0
            //   c68594feffff76       | mov                 byte ptr [ebp - 0x16c], 0x76
            //   c68595feffff00       | mov                 byte ptr [ebp - 0x16b], 0
            //   c68596feffff61       | mov                 byte ptr [ebp - 0x16a], 0x61
            //   c68597feffff00       | mov                 byte ptr [ebp - 0x169], 0

        $sequence_2 = { 51 e8???????? 83c408 8985b0fbffff c785f4f1ffff00000000 c68588fbffff4c }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8985b0fbffff         | mov                 dword ptr [ebp - 0x450], eax
            //   c785f4f1ffff00000000     | mov    dword ptr [ebp - 0xe0c], 0
            //   c68588fbffff4c       | mov                 byte ptr [ebp - 0x478], 0x4c

        $sequence_3 = { e9???????? 6a00 8b95acf1ffff 52 ff9564f7ffff }
            // n = 5, score = 100
            //   e9????????           |                     
            //   6a00                 | push                0
            //   8b95acf1ffff         | mov                 edx, dword ptr [ebp - 0xe54]
            //   52                   | push                edx
            //   ff9564f7ffff         | call                dword ptr [ebp - 0x89c]

        $sequence_4 = { 8b4dfc 8b5508 c7048a00000000 ebd7 }
            // n = 4, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   c7048a00000000       | mov                 dword ptr [edx + ecx*4], 0
            //   ebd7                 | jmp                 0xffffffd9

        $sequence_5 = { c645b900 c645ba39 c645bb00 c645bc00 c645bd00 8d4d98 898df4f7ffff }
            // n = 7, score = 100
            //   c645b900             | mov                 byte ptr [ebp - 0x47], 0
            //   c645ba39             | mov                 byte ptr [ebp - 0x46], 0x39
            //   c645bb00             | mov                 byte ptr [ebp - 0x45], 0
            //   c645bc00             | mov                 byte ptr [ebp - 0x44], 0
            //   c645bd00             | mov                 byte ptr [ebp - 0x43], 0
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   898df4f7ffff         | mov                 dword ptr [ebp - 0x80c], ecx

        $sequence_6 = { c685a3feffff00 c685a4feffff6c c685a5feffff00 c685a6feffff6c c685a7feffff00 }
            // n = 5, score = 100
            //   c685a3feffff00       | mov                 byte ptr [ebp - 0x15d], 0
            //   c685a4feffff6c       | mov                 byte ptr [ebp - 0x15c], 0x6c
            //   c685a5feffff00       | mov                 byte ptr [ebp - 0x15b], 0
            //   c685a6feffff6c       | mov                 byte ptr [ebp - 0x15a], 0x6c
            //   c685a7feffff00       | mov                 byte ptr [ebp - 0x159], 0

        $sequence_7 = { c6459264 c6459300 8d458c 50 8d8d90feffff }
            // n = 5, score = 100
            //   c6459264             | mov                 byte ptr [ebp - 0x6e], 0x64
            //   c6459300             | mov                 byte ptr [ebp - 0x6d], 0
            //   8d458c               | lea                 eax, [ebp - 0x74]
            //   50                   | push                eax
            //   8d8d90feffff         | lea                 ecx, [ebp - 0x170]

        $sequence_8 = { 8985fcf7ffff 8d55c0 52 8d45dc }
            // n = 4, score = 100
            //   8985fcf7ffff         | mov                 dword ptr [ebp - 0x804], eax
            //   8d55c0               | lea                 edx, [ebp - 0x40]
            //   52                   | push                edx
            //   8d45dc               | lea                 eax, [ebp - 0x24]

        $sequence_9 = { 7407 8b4598 50 ff55fc 8b4594 8be5 }
            // n = 6, score = 100
            //   7407                 | je                  9
            //   8b4598               | mov                 eax, dword ptr [ebp - 0x68]
            //   50                   | push                eax
            //   ff55fc               | call                dword ptr [ebp - 4]
            //   8b4594               | mov                 eax, dword ptr [ebp - 0x6c]
            //   8be5                 | mov                 esp, ebp

    condition:
        7 of them and filesize < 33792
}
[TLP:WHITE] win_caddywiper_w0   (20220316 | Detects CaddyWiper)
rule win_caddywiper_w0 {
	meta:
		author = "IBM Security X-Force"
		description = "Detects CaddyWiper"
		threat_type = "Malware"
		rule_category = "Malware Family"
		usage = "Hunting and Identification"
		hash = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
		yara_version = "4.0.2"
		date_created = "15 March 22"
        malpedia_rule_date = "20220315"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
		malpedia_version = "20220316"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "DsRoleGetPrimaryDomainInformation" ascii fullword
		$hex1 = {
			C645??43 //'C'
			C645??3A //':'
			C645??5C //'\'
			C645??55 //'U'
			C645??73 //'s'
			C645??65 //'e'
			C645??72 //'r'
			C645??73 //'s'
		}
		$hex2 = {
			C645??44 // 'D'
			C645??65 // 'e'
			C645??76 // 'v'
			C645??69 // 'i'
			C645??63 // 'c'
			C645??65 // 'e'
			C645??49 // 'I'
			C645??6F // 'o'
			C645??43 // 'C'
			C645??6F // 'o'
			C645??6E // 'n'
			C645??74 // 't'
			C645??72 // 'r'
			C645??6F // 'o'
			C645??6C // 'l'
		}
	condition:
		uint16(0) == 0x5A4D and 
		all of them
}
Download all Yara Rules