SYMBOLCOMMON_NAMEaka. SYNONYMS
win.caddywiper (Back to overview)

CaddyWiper

aka: KillDisk.NCX

CaddyWiper is another destructive malware believed to be deployed to target Ukraine.

CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.

It also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.

References
2022-05-02AT&TFernando Martinez
@online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-12Twitter (@silascutler)Silas Cutler
@online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12Max Kersten's BlogMax Kersten
@online{kersten:20220412:ghidra:4afe367, author = {Max Kersten}, title = {{Ghidra script to handle stack strings}}, date = {2022-04-12}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/}, language = {English}, urldate = {2022-04-20} } Ghidra script to handle stack strings
CaddyWiper PlugX
2022-04-12ESET ResearchESET Ireland
@online{ireland:20220412:industroyer2:aa61be3, author = {ESET Ireland}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-05-04} } Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-05MorphisecMichael Dereviashkin
@online{dereviashkin:20220405:new:2f2f8a9, author = {Michael Dereviashkin}, title = {{New Analysis: The CaddyWiper Malware Attacking Ukraine}}, date = {2022-04-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine}, language = {English}, urldate = {2022-04-07} } New Analysis: The CaddyWiper Malware Attacking Ukraine
CaddyWiper
2022-04-01splunkSplunk Threat Research Team
@online{team:20220401:threat:1955941, author = {Splunk Threat Research Team}, title = {{Threat Update: CaddyWiper}}, date = {2022-04-01}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html}, language = {English}, urldate = {2022-04-12} } Threat Update: CaddyWiper
CaddyWiper
2022-03-31eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220331:esentire:287e4dd, author = {eSentire Threat Response Unit (TRU)}, title = {{eSentire Threat Intelligence Malware Analysis: CaddyWiper}}, date = {2022-03-31}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper}, language = {English}, urldate = {2022-05-23} } eSentire Threat Intelligence Malware Analysis: CaddyWiper
CaddyWiper
2022-03-26n0p BlogAli Mosajjal
@online{mosajjal:20220326:analysis:b94c029, author = {Ali Mosajjal}, title = {{Analysis of a Caddy Wiper Sample Targeting Ukraine}}, date = {2022-03-26}, organization = {n0p Blog}, url = {https://n0p.me/2022/03/2022-03-26-caddywiper/}, language = {English}, urldate = {2022-03-28} } Analysis of a Caddy Wiper Sample Targeting Ukraine
CaddyWiper
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-03-28} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora
2022-03-24NextGovBrandi Vincent
@online{vincent:20220324:ukrainian:74b1566, author = {Brandi Vincent}, title = {{Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid}}, date = {2022-03-24}, organization = {NextGov}, url = {https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/}, language = {English}, urldate = {2022-03-25} } Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper
2022-03-18MalwarebytesThreat Intelligence Team
@online{team:20220318:double:fde615f, author = {Threat Intelligence Team}, title = {{Double header: IsaacWiper and CaddyWiper}}, date = {2022-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/}, language = {English}, urldate = {2022-03-28} } Double header: IsaacWiper and CaddyWiper
CaddyWiper IsaacWiper
2022-03-17NioGuardNioGuard Security Lab
@online{lab:20220317:analysis:90c9558, author = {NioGuard Security Lab}, title = {{Analysis of CaddyWiper}}, date = {2022-03-17}, organization = {NioGuard}, url = {https://www.nioguard.com/2022/03/analysis-of-caddywiper.html}, language = {English}, urldate = {2022-03-22} } Analysis of CaddyWiper
CaddyWiper
2022-03-16Cyber Security NewsGurubaran
@online{gurubaran:20220316:destructive:f915ddf, author = {Gurubaran}, title = {{Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations}}, date = {2022-03-16}, organization = {Cyber Security News}, url = {https://cybersecuritynews.com/destructive-data-wiper-malware/}, language = {English}, urldate = {2022-03-17} } Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations
CaddyWiper
2022-03-15ESET ResearchESET Research
@online{research:20220315:caddywiper:0edb827, author = {ESET Research}, title = {{CaddyWiper: New wiper malware discovered in Ukraine}}, date = {2022-03-15}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/}, language = {English}, urldate = {2022-03-15} } CaddyWiper: New wiper malware discovered in Ukraine
CaddyWiper
2022-03-15CiscoCisco Talos
@online{talos:20220315:threat:67922cf, author = {Cisco Talos}, title = {{Threat Advisory: CaddyWiper}}, date = {2022-03-15}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html}, language = {English}, urldate = {2022-03-18} } Threat Advisory: CaddyWiper
CaddyWiper
2022-03-15The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220315:caddywiper:f70771d, author = {Ravie Lakshmanan}, title = {{CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks}}, date = {2022-03-15}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html}, language = {English}, urldate = {2022-03-17} } CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks
CaddyWiper
2022-03-15SecurityIntelligenceChristopher Del Fierro, John Dwyer
@online{fierro:20220315:caddywiper:6504bd2, author = {Christopher Del Fierro and John Dwyer}, title = {{CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations}}, date = {2022-03-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/}, language = {English}, urldate = {2022-03-16} } CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CaddyWiper
2022-03-15SecurityAffairsPierluigi Paganini
@online{paganini:20220315:caddywiper:13b5403, author = {Pierluigi Paganini}, title = {{CaddyWiper, a new data wiper hits Ukraine}}, date = {2022-03-15}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html}, language = {English}, urldate = {2022-03-15} } CaddyWiper, a new data wiper hits Ukraine
CaddyWiper
2022-03-15Twitter (@HackNPatch)HackNPatch
@online{hacknpatch:20220315:exploring:5399622, author = {HackNPatch}, title = {{Tweet on Exploring CaddyWiper API resolution}}, date = {2022-03-15}, organization = {Twitter (@HackNPatch)}, url = {https://twitter.com/HackPatch/status/1503538555611607042}, language = {English}, urldate = {2022-03-28} } Tweet on Exploring CaddyWiper API resolution
CaddyWiper
2022-03-15TRUESECNicklas Keijser
@online{keijser:20220315:analysis:648df73, author = {Nicklas Keijser}, title = {{Analysis of CaddyWiper, wiper targeting Ukraine}}, date = {2022-03-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine}, language = {English}, urldate = {2022-03-16} } Analysis of CaddyWiper, wiper targeting Ukraine
CaddyWiper
2022-03-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20220314:new:b53c7a5, author = {Sergiu Gatlan}, title = {{New CaddyWiper data wiping malware hits Ukrainian networks}}, date = {2022-03-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/}, language = {English}, urldate = {2022-03-17} } New CaddyWiper data wiping malware hits Ukrainian networks
CaddyWiper
2022-03-14CybernewsJurgita Lapienytė
@online{lapienyt:20220314:new:965eae1, author = {Jurgita Lapienytė}, title = {{New destructive wiper malware deployed in Ukraine}}, date = {2022-03-14}, organization = {Cybernews}, url = {https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/}, language = {English}, urldate = {2022-03-15} } New destructive wiper malware deployed in Ukraine
CaddyWiper
2022-03-14Twitter (@ESETresearch)ESET Research
@online{research:20220314:caddywiper:ac25105, author = {ESET Research}, title = {{Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine}}, date = {2022-03-14}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1503436420886712321}, language = {English}, urldate = {2022-03-14} } Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine
CaddyWiper
Yara Rules
[TLP:WHITE] win_caddywiper_auto (20220516 | Detects win.caddywiper.)
rule win_caddywiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.caddywiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c68502f8ffff6f c68503f8ffff73 c68504f8ffff65 c68505f8ffff48 c68506f8ffff61 c68507f8ffff6e }
            // n = 6, score = 100
            //   c68502f8ffff6f       | mov                 byte ptr [ebp - 0x7fe], 0x6f
            //   c68503f8ffff73       | mov                 byte ptr [ebp - 0x7fd], 0x73
            //   c68504f8ffff65       | mov                 byte ptr [ebp - 0x7fc], 0x65
            //   c68505f8ffff48       | mov                 byte ptr [ebp - 0x7fb], 0x48
            //   c68506f8ffff61       | mov                 byte ptr [ebp - 0x7fa], 0x61
            //   c68507f8ffff6e       | mov                 byte ptr [ebp - 0x7f9], 0x6e

        $sequence_1 = { c685b6fbffff65 c685b7fbffff00 c685b8fbffff72 c685b9fbffff00 }
            // n = 4, score = 100
            //   c685b6fbffff65       | mov                 byte ptr [ebp - 0x44a], 0x65
            //   c685b7fbffff00       | mov                 byte ptr [ebp - 0x449], 0
            //   c685b8fbffff72       | mov                 byte ptr [ebp - 0x448], 0x72
            //   c685b9fbffff00       | mov                 byte ptr [ebp - 0x447], 0

        $sequence_2 = { 51 8d55dc 52 e8???????? 83c408 8945f8 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   8d55dc               | lea                 edx, [ebp - 0x24]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_3 = { c745d000000000 c68574ffffff61 c68575ffffff00 c68576ffffff64 c68577ffffff00 }
            // n = 5, score = 100
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   c68574ffffff61       | mov                 byte ptr [ebp - 0x8c], 0x61
            //   c68575ffffff00       | mov                 byte ptr [ebp - 0x8b], 0
            //   c68576ffffff64       | mov                 byte ptr [ebp - 0x8a], 0x64
            //   c68577ffffff00       | mov                 byte ptr [ebp - 0x89], 0

        $sequence_4 = { 8b45fc 8945f8 8b4df8 8a11 8855f7 }
            // n = 5, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8a11                 | mov                 dl, byte ptr [ecx]
            //   8855f7               | mov                 byte ptr [ebp - 9], dl

        $sequence_5 = { c645ee6c c645ef00 c645f033 c645f100 c645f232 }
            // n = 5, score = 100
            //   c645ee6c             | mov                 byte ptr [ebp - 0x12], 0x6c
            //   c645ef00             | mov                 byte ptr [ebp - 0x11], 0
            //   c645f033             | mov                 byte ptr [ebp - 0x10], 0x33
            //   c645f100             | mov                 byte ptr [ebp - 0xf], 0
            //   c645f232             | mov                 byte ptr [ebp - 0xe], 0x32

        $sequence_6 = { c685aafbffff6c c685abfbffff6c c685acfbffff6f c685adfbffff63 c685aefbffff00 }
            // n = 5, score = 100
            //   c685aafbffff6c       | mov                 byte ptr [ebp - 0x456], 0x6c
            //   c685abfbffff6c       | mov                 byte ptr [ebp - 0x455], 0x6c
            //   c685acfbffff6f       | mov                 byte ptr [ebp - 0x454], 0x6f
            //   c685adfbffff63       | mov                 byte ptr [ebp - 0x453], 0x63
            //   c685aefbffff00       | mov                 byte ptr [ebp - 0x452], 0

        $sequence_7 = { 8b85a4f1ffff 50 6a40 ff95b8f1ffff 8985b0f1ffff 8b8da4f1ffff }
            // n = 6, score = 100
            //   8b85a4f1ffff         | mov                 eax, dword ptr [ebp - 0xe5c]
            //   50                   | push                eax
            //   6a40                 | push                0x40
            //   ff95b8f1ffff         | call                dword ptr [ebp - 0xe48]
            //   8985b0f1ffff         | mov                 dword ptr [ebp - 0xe50], eax
            //   8b8da4f1ffff         | mov                 ecx, dword ptr [ebp - 0xe5c]

        $sequence_8 = { c68543ffffff00 8d8d38ffffff 51 8d55b8 52 e8???????? 83c408 }
            // n = 7, score = 100
            //   c68543ffffff00       | mov                 byte ptr [ebp - 0xbd], 0
            //   8d8d38ffffff         | lea                 ecx, [ebp - 0xc8]
            //   51                   | push                ecx
            //   8d55b8               | lea                 edx, [ebp - 0x48]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_9 = { c685c4fbffff2e c685c5fbffff00 c685c6fbffff64 c685c7fbffff00 c685c8fbffff6c c685c9fbffff00 c685cafbffff6c }
            // n = 7, score = 100
            //   c685c4fbffff2e       | mov                 byte ptr [ebp - 0x43c], 0x2e
            //   c685c5fbffff00       | mov                 byte ptr [ebp - 0x43b], 0
            //   c685c6fbffff64       | mov                 byte ptr [ebp - 0x43a], 0x64
            //   c685c7fbffff00       | mov                 byte ptr [ebp - 0x439], 0
            //   c685c8fbffff6c       | mov                 byte ptr [ebp - 0x438], 0x6c
            //   c685c9fbffff00       | mov                 byte ptr [ebp - 0x437], 0
            //   c685cafbffff6c       | mov                 byte ptr [ebp - 0x436], 0x6c

    condition:
        7 of them and filesize < 33792
}
[TLP:WHITE] win_caddywiper_w0   (20220316 | Detects CaddyWiper)
rule win_caddywiper_w0 {
	meta:
		author = "IBM Security X-Force"
		description = "Detects CaddyWiper"
		threat_type = "Malware"
		rule_category = "Malware Family"
		usage = "Hunting and Identification"
		hash = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
		yara_version = "4.0.2"
		date_created = "15 March 22"
        malpedia_rule_date = "20220315"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
		malpedia_version = "20220316"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "DsRoleGetPrimaryDomainInformation" ascii fullword
		$hex1 = {
			C645??43 //'C'
			C645??3A //':'
			C645??5C //'\'
			C645??55 //'U'
			C645??73 //'s'
			C645??65 //'e'
			C645??72 //'r'
			C645??73 //'s'
		}
		$hex2 = {
			C645??44 // 'D'
			C645??65 // 'e'
			C645??76 // 'v'
			C645??69 // 'i'
			C645??63 // 'c'
			C645??65 // 'e'
			C645??49 // 'I'
			C645??6F // 'o'
			C645??43 // 'C'
			C645??6F // 'o'
			C645??6E // 'n'
			C645??74 // 't'
			C645??72 // 'r'
			C645??6F // 'o'
			C645??6C // 'l'
		}
	condition:
		uint16(0) == 0x5A4D and 
		all of them
}
Download all Yara Rules