ESET discovered yet another distinct wiper malware deployed against Ukraine. This is the third discovered by ESET and the fourth overall since Jan. 15.
The latest wiper, dubbed CaddyWiper, was discovered just before noon Monday, Ukrainian time. It shares no known overlap with any of the previous wipers, or any other malware. ESET announced its discovery in a Twitter thread.
ESET had previously discovered HermeticWiper and IsaacWiper around the date of Russia's invasion of Ukraine. About a month earlier, Microsoft announced the discovery of Whispergate.
Early indications from ESET's telemetry show CaddyWiper infected only "a few dozen systems in a limited number of organizations." That would make CaddyWiper appear to be a substantially more limited attack than HermeticWiper, which ESET immediately said it saw in hundreds of systems in Ukraine (and Symantec found in two machines in Latvia and Lithuania).
Attackers installed the malware using group policy objects, a tactic also seen in HermeticWiper. The malware is designed to avoid infecting domain controllers, which ESET speculated in its Twitter thread "is probably a way for the attackers to keep their access inside the organization while still disturbing operations."
CaddyWiper appears to have been compiled the same day as it was deployed. HermeticWiper, on the other hand, was compiled and installed on systems months before deploying.
Though Russia's aggression in Ukraine is ongoing, and the U.S. has said it continues to be "vigilant" about new cyberattacks in the region, neither ESET nor any other organization has formally attributed the malware to Russia.
