Rewterz Threat Alert – APT Group Gamaredon – Active IOCs – Russian-Ukrainian Cyber Warfare
April 6, 2022Rewterz Threat Alert – FarAttack Ransomware – Active IOCs
April 6, 2022Rewterz Threat Alert – APT Group Gamaredon – Active IOCs – Russian-Ukrainian Cyber Warfare
April 6, 2022Rewterz Threat Alert – FarAttack Ransomware – Active IOCs
April 6, 2022Severity
Medium
Analysis Summary
CaddyWiper is another destructive data wiper suspected to be targeting Ukraine. The wiper, which erases user data and information from associated drives, was discovered on several systems in a limited number of companies. By overwriting the data with a NULL value, CaddyWiper removes all files under C:\Users as well as all files under accessible discs from D: to Z:.
If the size of the target file exceeds 0xA00000 bytes (10MB), it only wipes the first 0xA00000 bytes. CaddyWiper shares no code similarities with HermeticWiper or IsaacWiper, the other two new data wipes that have infected Ukrainian organizations. However, this wiper has a tactical overlap with HermeticWiper as it was deployed via the Windows domain controller, implying that the attackers had gained control of the Active Directory server.
Impact
- Data Exfiltration
- Credential Theft
- Financial Loss
Indicators of Compromise
MD5
- 728f13a93b62699e8f94f2d14a989bac
- ea4c9133ebdfaab33fb22e5b559f5bfa
- 42bdac800cc66c1dd5f78b0168a2a7fc
SHA-256
- b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7
- 9d83817f7cae01554f77680ed7e6698966bcf020915c0dc411e5d57f6eea6ed4
- 5cc51f29c6074d9741d6e68bcf9ce8363d623437ea11506a36791b4763cefdc7
SHA1
- 776e573676406e2311de0b40b9f2e98fd5b1fc4d
- c648330911f64df9b3e8eebb53891361a64c09c5
- 51ac19ec006b1e565c732d8940f32160ecff0983
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.