[MART] - Daily Diary #470 - More Wipers Wiping Devices Across Ukraine

CTAS-MAT ctas-mat at appgate.com
Tue Mar 15 21:01:54 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

03/15/2022 - Diary entry #470

In our Daily Diary #462, we covered HermeticWiper, a destructive Malware found in Ukraine during the recent Russia-Ukraine conflict. This month, two new Wipers were disclosed, also found in attacks to Ukrainian organizations in the past weeks.

The first one, named IsaacWiper, was found in at least five organizations. It shares no code with HermeticWiper, being less sophisticated. It targets Windows systems, appearing in the form of an unsigned DLL or EXE. IsaacWiper enumerates the physical drives in the machine, erasing the first 65536 bytes or each disk. Some versions of IsaacWiper were found with debug logs active, meaning that it's probably under development.

The second one, named CaddyWiper, was first observed on March 14. It also shares no code with HermeticWiper neither with IsaacWiper. CaddyWiper was also found being deployed through the Windows domain controller, showing that the attackers had control over the company Active Directory server, in a similar behavior as the attacks that HermeticWiper was found.

Wipers are extremely destructive, but as they are not profitable is not common to find them in the wild. Unlike ransomware, there is no extortion, just plain simple damage. Specialized cybercrime using wipers mean that they are motivated by the damage itself or, most likely, are being founded by a third-party. The fact that the wipers are so different regarding its code reveals that at least three cybercrime groups, with different developers, are participating in these cyberattacks.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220315/fed43d6d/attachment.htm>

More information about the MART mailing list