The ongoing conflict between Russia and Ukraine has impacted cyberspace as well. Recently, Ukraine has been observed facing new waves of targeted cyberattacks on its infrastructure.
Researchers have reported two different types of attacks including data wiping malware and a phishing attack that baits using fake antivirus updates.
The CaddyWiper malware
According to ESET Research Labs, CaddyWiper erases user data and partition information from attached drives. The malware was spotted on a few dozen systems in a limited number of organizations.
The wiper uses the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If found on the controller, the data on the domain controller will not be deleted.
This tactic is used by the attackers for maintaining access inside compromised networks while mainly disturbing operations by wiping other critical devices.
The malware was deployed in attacks the same day it was compiled and deployed through GPO, suggesting the attackers already had control of the target's network.
The Fake antivirus Trap
Ukraine's CERT has raised a warning against fake Windows antivirus updates installing Cobalt Strike and other malware such as GraphSteel and GrimPlant backdoor.
Attackers send phishing emails impersonating Ukrainian government agencies, asking the potential victims to download security updates, which is a 60 MB file (BitdefenderWindowsUpdatePackage[.]exe).
These emails usually have a link to a French website offering download buttons for antivirus software updates, along with another site (nirsoft[.]me) acting as the C2 server for the campaign.
When a victim downloads and executes the software updates, they are asked to install a Windows Update Package. The package downloads one[.]exe file, which is the Cobalt Strike Beacon.
The Ukrainian agency has linked the recent activity with the UAC-0056 group with medium confidence. The UAC-0056 threat actor is believed to be a sophisticated Russian-speaking APT group.
CaddyWiper is the next wave of wiper attacks, following the trend of previous waves of wiper attacks using IsaacWiper and HermeticWiper malware. Furthermore, this wiper does not have any significant code similarity with these other malware strains, which indicates that Russian attackers are continuously working on creating new malware, possibly making them more efficient and mass destructive.