Thursday 17 March 2022

Analysis of CaddyWiper



  • Name: CaddyWiper

  • Discovered in March 2022

  • Was used in a targeted attack in Ukraine

  • Deployed via Microsoft Active Directory GPO

  • Corrupts files and disk partitions

  • PE32 sample written in C++

  • Compiled on the same day when it was deployed on targeted systems in Ukraine

by Denis Popov


On March 14 2022 ESET research found a new disruptive malware deployed in Ukraine. It was called CandyWiper and it is already the third wiper that was found in the Ukrainian systems. The previous ones were WhisperGate and HermeticWiper. As well as the HermeticWiper, CaddyWiper was also deployed via Microsoft Active Directory GPO.

Technical Details


The CaddyWiper sample was written in C++ and had compilation timestamp 14-03-2022, which matches with the day when it was deployed in the victim's system. This sample has only 10 functions.


All code in the sample is obfuscated in an interesting way. All strings are separated by one character. Even function calls are obfuscated in the same way, so malware has only one imported function and library, but others will be imported during execution.

CaddyWiper retrieves the machine role in the system using the ‘DsRoleGetPrimaryDomainInformation’ function. If the obtained value is ‘DsRole_RolePrimaryDomainController’, the wiper terminates its execution, if other, then it proceeds.

The first folder where CaddyWiper starts its operation is the “C:\Users”. File corruption routine is the ‘sub_6522A0()’ function. 

During ‘sub_6522A0()’ execution wiper loads and uses next functions:

  • FindFirstFileA

  • FindNextFileA

  • CreateFileA

  • LocalAlloc

  • SetFilePointer

  • WriteFile

  • LocalFree

  • CloseHandle

  • FindClose

  • SetEntriesInAclA

  • AllocateAndInitializeSid

  • SetNamedSecurityInfoA

  • GetCurrentProcess

  • OpenProcessToken

  • FreeSid

If the current file is used by another process, CaddyWiper obtains access to it using “SeTakeOwnershipPrivilege”. The first file in the system which CaddyWiper overwrites is ‘C:\Users\desktop.ini’. After overwriting this file the desktop background will be deleted and all shortcuts will be unusable. 

After corrupting the ‘C:\Users’ folder, malware proceeds and goes to the ‘D:\’ logical drive. If it’s present, malware will corrupt its files in the same way as the previous one. This operation will be repeated for all logical drives from ‘D:\’ to ‘Z:\’. If these drives are missing or file corruption is done, it calls the ‘sub_4011D0()’ function, which will corrupt the disk partition.

To perform disk corruption CaddyWiper obtains access to the disk partitions from ‘\.\\\PHYSICALDRIVE9’ to ‘\.\\\PHYSICALDRIVE0’ and performs overwriting the first 1920 bytes of data with ‘0’ using ‘CreateFileW’ and ‘DeviceIoControl’ functions. This operation can be done only if the malware was executed as administrator.

Overwriting first 780h(1920 in decimal) bytes

After disk partitions are corrupted the machine will be rebooted, but the system won’t be started, instead the “FATAL: INT18: BOOT FAILURE” message will be shown on the screen.


All function calls and library names are separated in the PE file. Also, malware employs WinAPI calls obfuscation.


CaddyWiper continues the trend of data wipers in Ukraine. It is the third one found. The previous ones were WhisperGate and HermeticWiper. CaddyWiper doesn’t have any similarities with them, but as well as HermeticWiper, was deployed via Microsoft Active Directory GPO. The analyzed sample has obfuscated strings and API calls. It has two main disruptive functions, one of them corrupts files in the ‘C:\Users’ folder and logical drives from ‘D:\’ to ‘Z:\’, the second one overwrites disk partitions from ‘\.\\\PHYSICALDRIVE9’ to ‘\.\\\PHYSICALDRIVE0’. After the corruption process is done the system will be rebooted, but won’t be started.



File name




MITRE attack techniques





No comments:

Post a Comment