Two weeks after details emerged about a second data wiper strain delivered in attacks against Ukraine, yet another destructive malware has been detected amid Russia’s continuing military invasion of the country.
Slovak cybersecurity company ESET dubbed the third wiper „CaddyWiper,” which it said it first observed on March 14 around 9:38 a.m. UTC. Metadata associated with the executable („caddy.exe„) shows that the malware was compiled at 7:19 a.m. UTC, a little over two hours prior to its deployment.
CaddyWiper is notable for the fact that it doesn’t share any similarities with previously discovered wipers in Ukraine, including HermeticWiper (aka FoxBlade or KillDisk) and IsaacWiper (aka Lasainraw), the two of which have been deployed in systems belonging to government and commercial entities.
„The ultimate goal of the attackers is the same as with IsaacWiper and HermeticWiper: make the systems unusable by erasing user data and partition information,” Jean-Ian Boutin¸ head of threat research at ESET, told The Hacker News. „All of the organizations targeted by the recent wiper attacks were either in the governmental or financial sector.”
#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine 🇺🇦. We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7 pic.twitter.com/gVzzlT6AzN
— ESET research (@ESETresearch) March 14, 2022
Unlike CaddyWiper, both the HermeticWiper and IsaacWiper malware families are said to have been in development for months in advance before their release, with oldest known samples compiled on December 28 and October 19, 2021, respectively.