Analytics Story: Caddy Wiper
Description
Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.
Why it matters
Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.
Detections
| Name | Technique | Type |
|---|---|---|
| Windows Raw Access To Disk Volume Partition | Disk Structure Wipe, Disk Wipe | Anomaly |
| Windows Raw Access To Master Boot Record Drive | Disk Structure Wipe, Disk Wipe | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 9 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- https://twitter.com/ESETresearch/status/1503436420886712321
- https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/
Source: GitHub | Version: 1