SECURITY

Threat Update: CaddyWiper

As the conflict in Eastern Europe continues, the Splunk Threat Research Team (STRT) is constantly monitoring new developments, especially those related to destructive software. As we have showcased in previous releases in relation to destructive software and HermeticWiper, malicious actors modify their TTPs in order to become more effective and achieve their objectives. In the case of HermeticWiper, we witnessed the introduction of new features since the increment of malicious cyber activity targeting Ukraine from last month. 

We now have a new payload recently discovered by ESET named CaddyWiper, indicating no code sharing with previous malicious payloads during this campaign. There is one thing however that has been seen during the deployment of payloads, and that is the use of Group Policy Objects (GPOs). 

Group Policy Objects are Microsoft Active Directory network policies that can be applied selectively to computers, organizational units, applications, and individual users. Splunk Security research has previously shown how to use GPOs to defend against Ransomware, as the selective and massive application of these settings helps streamline, enforce and harden security policies. 

However, as we have witnessed, GPOs can be used to harm if malicious actors can compromise domain administrators. This new malicious payload, incorporates the following features:

  • Domain Controller killswitch. If payload detects installation on a Domain Controller it stops its functions. 
  • If not in a Domain Controller it destroys users data “C:\Users” and subsequent mapped drives (this may include network mapped drives). 
  • If not in a Domain Controller it destroys drive partitions including boot partitions (\\.\PhysicalDrive9 to \\.\PhysicalDrive0) 

The above new features indicate the intention of malicious actors to maintain access to Domain Controllers and deploy destructive software without the need to have to compromise and get access again if they were destroyed and had to be reinstalled. This approach is much more tactical and it also gives attackers the possibility to modify, re-apply, or enforce GPOs that can achieve the deployment of this destructive payload. Below is a breakdown of these features.

Domain Controller Kill Switch

This wiper will prepare the module name and API name string on the stack to dynamically parse it upon execution. Then it will execute DsRolePrimaryDomainInformation() API to retrieve the state data of the targeted host. If the state role of the computer is DsRole_RolePrimaryDomainController caddywiper will exit its process.
 

Overwriting Files with Zeroed Buffer

If the computer is not a Domain Controller it will start to do its payload. One of them is overwriting files in C:\users directory and from Drive D:\ until Drive Z:\.
 


If it finds a file that is not a folder and has a hidden system attribute, it will adjust the Security identifier permission of its process as well as its TokenPrivileges to “SeTokenOwnershipPrivilege” to be able to access those files.
 


After that checking, Caddywiper will  initialize a zeroed buffer based on the file size of the file it found. If the file size is greater than 0xA00000, It will set the maximum zeroed buffer size to 0xA00000. That buffer will be used to overwrite the files and make them unrecoverable.
 


Wiping Boot Partitions

This payload will enumerate all possible boot sectors partitions from \\.\PhysicalDrive9 to \\.\PhysicalDrive0 to overwrite it with a zeroed buffer with size of 1920 bytes. The wiping was executed using DeviceIoControl IOCTL_DISK_SET_DRIVE_LAYOUT_EX.
 



 

Name

Technique ID

Tactic

Description

Windows Raw Access To Disk Volume Partition

T1561.002

Impact

This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the “hermeticwiper” malware.

Windows Raw Access To Master Boot Record Drive

T1561.002

Impact

This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actors to wipe, encrypt or overwrite the master boot record code as part of their impact payload.


Mitigate via GPO

As mentioned in this Threat Update GPOs can also be used defensively and the Splunk Security Research has previously shown how to apply them in a defensive manner. Here are some examples of GPO that can be applied to protect  against destructive software attacks:

  • Force logoff
  • Remove Computer from Domain
  • Disable password changes
  • Disable access to network shares
  • Enforce account lockout
  • Prevent further download of payloads from the internet
  • Apply firewall rules
  • Prevent reboot of computers 
     

The above GPO settings in combination with Splunk SOAR playbooks such as Ransomware Investigate and Contain may improve defenses and containment of these types of attacks. 

Mitigation 

The Cybersecurity & Infrastructure Security Agency (CISA) has provided numerous guidelines on how to prepare, defend and respond against destructive software attacks. The following links provide extensive information on the subject. 

Splunk Threat Research Related Resources

Learn More

You can find the latest content about security analytic stories on research.splunk.com. For a full list of security content, check out the release notes on Splunk Docs.

Contributors

We would like to thank the following for their contributions to this post.

  • Teoderick Contreras
  • Rod Soto
  • Jose Hernandez
  • Patrick Barreiss
  • Lou Stella
  • Mauricio Velazco 
  • Michael Haag
  • Bhavin Patel
  • Eric McGinnis

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS

Threat Update: CaddyWiper

Show All Tags
Show Less Tags

Join the Discussion