Latest Data-Wiping Malware To Hit Ukraine Can Also Erase Attached Drives

pcmag.com:

A new strain of data-wiping malware has been discovered hitting computers in Ukraine with the ability to erase data on the host computer and attached storage devices. 

The antivirus provider ESET first observed the Windows-based malware on Monday and have since dubbed it “CaddyWiper.” The company has so far noticed the malicious code, which is only 9 kilobytes in size, on “a few dozen systems in a limited number of organizations” in Ukraine. 

The culprits behind the malware remain unknown, but ESET said CaddyWiper was installed after the hackers had already compromised the victim’s network. Specifically, the malware was deployed by hijacking the victim’s Group Policy Object, a Microsoft-created component that can help IT administrators manage and configure computers across a corporate network. 

Reportedly, Ukrainian authorities believe the latest strain CaddyWiper has been targeting financial institutions in the country.

Cisco’s Talos security unit has also examined the malware and found it operates by first destroying the files on "C:\Users," before targeting the next drive letter until it reaches the "Z" drive. “This means that the wiper will also attempt to wipe any network mapped drive attached to the system,” Talos said. 

To wipe the data, the malware will overwrite each file and storage partitions with zeros, preventing recovery. However, the malware will refrain from erasing the data if it detects the computer is a domain controller, a server that can respond to authentication requests over the corporate network. 

“This is probably a way for the attackers to keep their access inside the organization while still disturbing operations,” ESET said. 

Surprisingly, CaddyWiper shares no computer code similarities with