S0693 CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.12
| Item | Value |
|---|---|
| ID | S0693 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 23 March 2022 |
| Last Modified | 17 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1485 | Data Destruction | CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files.12 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | CaddyWiper has the ability to destroy information about a physical drive’s partitions including the MBR, GPT, and partition entries.12 |
| enterprise | T1083 | File and Directory Discovery | CaddyWiper can enumerate all files and directories on a compromised host.3 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | CaddyWiper can modify ACL entries to take ownership of files.2 |
| enterprise | T1106 | Native API | CaddyWiper has the ability to dynamically resolve and use APIs, including SeTakeOwnershipPrivilege.2 |
| enterprise | T1057 | Process Discovery | CaddyWiper can obtain a list of current processes.3 |
| enterprise | T1082 | System Information Discovery | CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.23 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 45 |
References
-
ESET. (2022, March 15). CaddyWiper: New wiper malware discovered in Ukraine. Retrieved March 23, 2022. ↩↩↩
-
Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022. ↩↩↩↩↩↩
-
Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022. ↩↩↩
-
Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024. ↩
-
Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024. ↩