S0693 CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.12
| Item | Value |
|---|---|
| ID | S0693 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 23 March 2022 |
| Last Modified | 11 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1485 | Data Destruction | CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files.12 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | CaddyWiper has the ability to destroy information about a physical drive’s partitions including the MBR, GPT, and partition entries.12 |
| enterprise | T1083 | File and Directory Discovery | CaddyWiper can enumerate all files and directories on a compromised host.3 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | CaddyWiper can modify ACL entries to take ownership of files.2 |
| enterprise | T1106 | Native API | CaddyWiper has the ability to dynamically resolve and use APIs, including SeTakeOwnershipPrivilege.2 |
| enterprise | T1057 | Process Discovery | CaddyWiper can obtain a list of current processes.3 |
| enterprise | T1082 | System Information Discovery | CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.23 |
References
-
ESET. (2022, March 15). CaddyWiper: New wiper malware discovered in Ukraine. Retrieved March 23, 2022. ↩↩↩
-
Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022. ↩↩↩↩↩↩
-
Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022. ↩↩↩