1. Home
  2. Software
  3. CaddyWiper

CaddyWiper

CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[1][2]

ID: S0693
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 23 March 2022
Last Modified: 17 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1485 Data Destruction

CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files.[1][2]
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

CaddyWiper has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries.[1][2]
Enterprise T1083 File and Directory Discovery

CaddyWiper can enumerate all files and directories on a compromised host.[3]
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

CaddyWiper can modify ACL entries to take ownership of files.[2]
Enterprise T1106 Native API

CaddyWiper has the ability to dynamically resolve and use APIs, including SeTakeOwnershipPrivilege.[2]
Enterprise T1057 Process Discovery

CaddyWiper can obtain a list of current processes.[3]
Enterprise T1082 System Information Discovery

CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.[2][3]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[4][5]

Campaigns

ID Name Description
C0034 2022 Ukraine Electric Power Attack

[4]

References

  1. ESET. (2022, March 15). CaddyWiper: New wiper malware discovered in Ukraine. Retrieved March 23, 2022.
  2. Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022.
  3. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022.
  1. Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
  2. Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.