Security scientists have uncovered yet an additional destructive malware variant targeting Ukrainian machines, the fourth so significantly this calendar year.
ESET claimed to have manufactured the locate yesterday, noting that the “CaddyWiper” malware was seen on a couple of dozen units in a “limited number” of businesses.
The malware, which erases consumer details and partition information and facts from hooked up drives, does not share any code similarities with the preceding variants found by ESET: HermeticWiper and IsaacWiper.
The code was not digitally signed and is not reminiscent of any other malware ESET has detected in the earlier, the security seller said.
“Similarly to HermeticWiper deployments, we observed CaddyWiper staying deployed via GPO, indicating the attackers experienced prior command of the target’s network beforehand,” it stated in a series of tweets.
“Interestingly, CaddyWiper avoids destroying data on area controllers. This is almost certainly a way for the attackers to retain their accessibility inside the business whilst still disturbing functions.”
Just after examining facts in the PE header, ESET decided that the malware was deployed the similar working day it was compiled.
Even though HermeticWiper and IsaacWiper were being equally made use of in the early days of the Russian invasion, the fourth wiper malware, dubbed “WhisperGate” by Microsoft, was discovered in January.
In connected information, the Ukrainian CERT has warned of a new phishing campaign in which the sender impersonates federal government companies to trick buyers into clicking on a booby-trapped backlink.
The hyperlink will get consumers to a ‘Windows AV update page’ so that they can maximize their security, the email promises. In actuality, the “BitdefenderWindowsUpdatePackage.exe” will obtain and run the “one.exe” file from Discord, which is a Cobalt Strike beacon in disguise.
Cobalt Strike is a respectable pen-testing resource for distant accessibility and lateral motion usually utilised by threat actors.
An additional executable, “dropper.exe,” sales opportunities to the execution of two much more payloads, in the variety of the GraphSteel backdoor (microsoft-cortana.exe) and GrimPlant backdoor (oracle-java.exe).
Some parts of this article are sourced from:
www.infosecurity-magazine.com