As Ukrainian organizations are getting hit with yet another data-wiping malware, financially motivated threat actors are choosing sides and some of them are expressing their willingness to target Russian targets.
Malware hitting Ukranian targets
WhisperGate, HermeticWiper and IsaacWiper, and now CaddyWiper – Ukrainian organizations are fielding an onslaught of data-wiping malware that seems to have been created to sow destruction during the ongoing real-world conflict.
According to ESET researchers, CaddyWiper destroys user data and partition information from attached drives, and has been spotted on several dozen systems in a limited number of organizations.
“CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper or any other malware known to us. The sample we analyzed was not digitally signed,” they shared.
Similarly to HermeticWiper, CaddyWiper is being deployed after threat actors infiltrate the network, via Group Policy Objects (GPOs).
“Interestingly, CaddyWiper avoids destroying data on domain controllers. This is probably a way for the attackers to keep their access inside the organization while still disturbing operations,” they added.
Other malware researchers have also shared their findings:
API strings are stack based to evade detection #Malware pic.twitter.com/FVJQ7ofyDV
— marc ochsenmeier (@ochsenmeier) March 15, 2022
Ukraine’s CERT has also warned about malicious payloads masquerading as antivirus/Windows security updates being aimed at Ukrainian targets, via emails impersonating Ukrainian governmental bodies.
— MalwareHunterTeam (@malwrhunterteam) March 11, 2022
The delivered malware is a Cobal Strike beacon, the GraphSteel and the GrimPlant backdoors. The backdoors are capable of collecting system information, steal account credentials, and execute commands received from the C2 server(s).
Some cybercriminals might target Russian entities
A report released on Monday by Accenture revealed that a rift along ideological lines is happening on Russian-language criminal underground forums, with some threat actors sympathizing with the Ukrainian side.
“A recent survey by a member of one such forum examined how many actors were willing to target Russian entities; as of March 7, 2022, 83% said they were not, but a surprisingly high 17% indicated they were. Given the historical absence of CIS targeting and the fact that this forum is pro-Russia this indicates an unprecedented ideological divide,” the researchers explained.
Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors and are increasingly attempting to target Russian entities. Pro-Russian actors are doing the same – some initial network access brokers have even offered discounts to pro-Russian actors interested in buying access to Ukrainian organizations, and are refraining from selling accesses associated with Russian entities.
The researchers have also noted an increased interest by pro-Russia threat actors to target organizations in countries that are considered to be “enemies of Russia,” and expect Western targets in the resources, government, media, financial and insurance industries to be hit.
“The targeting of financial and insurance entities is due to the perception that they are the working arms of Western financial sanctions, whereas the targeting of utilities and resources entities is due to those organizations’ importance as critical national infrastructure,” they added.