Caddy Wiper

Description

Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2022-03-25
Author: Teoderick Contreras, Rod Soto, Splunk
ID: 435a156a-8ef1-4184-bd52-22328fb65d3a

Narrative

Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.

Detections

Name	Technique	Type
Windows Raw Access To Disk Volume Partition	Disk Structure Wipe, Disk Wipe	Anomaly
Windows Raw Access To Master Boot Record Drive	Disk Structure Wipe, Disk Wipe	TTP

Reference

https://twitter.com/ESETresearch/status/1503436420886712321
https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/

source | version: 1

Twitter Facebook LinkedIn