CaddyWiper

"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content includes multiple anti-analysis and environment checks, such as "OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks" and "Raspberry Robin performs several system checks as part of anti-analysis mechanisms."

Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”

"CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller."

The content includes multiple anti-analysis and environment checks, such as "OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks" and "Raspberry Robin performs several system checks as part of anti-analysis mechanisms."

During the 2022 Ukraine Electric Power Attack, Sandworm Team used a Group Policy Object (GPO) to copy CaddyWiper's executable msserver.exe from a staging server to a local hard drive before deployment.

"...з метою централізованого розповсюдження шкідливих програм, створено об'єкт групової політики (GPO)..." and paths under "\\%DOMAIN%\\SYSVOL...\\news.bat" / "upd.exe"

The hackers also deployed multiple forms of 'wiper' malware designed to destroy data on computers within the utility.

"GRU operations... frequently end with the deployment of wipers... CADDYWIPER... overwrites both file content and partitions with null bytes."

“AcidPour can identify various system locations and mapped devices on Linux systems as a precursor to wiping activity.”

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR). APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable. CaddyWiper has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries.

"The attacker additionally attempted to exclude the file from antivirus scans."