A fourth variety of wiper malware and a poisoned Windows antivirus update, both aimed at Ukraine, have been found by security researchers.
The discoveries should be of concern to infosec pros watching the cyberwar between Russia and Ukraine as signs of what may be to come if the online fight spreads wider.
Data wipers
ESET, headquartered in Bratislava, Slovakia, said it found the destructive data wiper it dubs CaddyWiper early Monday morning, European time. The malware was spotted on several dozen systems in a limited number of organizations.
CaddyWiper bears no major code similarities to either HermeticWiper or IsaacWiper, the other two new data wipers found by ESET that have struck organizations in Ukraine since February 23rd, the company said.
“Much like with HermeticWiper, however, there’s evidence to suggest that the bad actors behind CaddyWiper infiltrated the target’s network before unleashing the wiper,” the researchers said. They didn’t identify the threat actor who deployed it.
Another data wiper, dubbed WhisperGate by Microsoft, hit the networks of multiple organizations in Ukraine in January.
Fake antivirus update
Also on Monday, Ukraine’s Computer Emergency Response Team warned that unnamed threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware.
According to Bleeping Computer, the “updates” are being sent by phishing messages that impersonate Ukrainian government agencies offering ways to increase network security. Recipients are told to download “critical security updates,” which come in the form of a 60 MB file named “BitdefenderWindowsUpdatePackage.exe.”
What actually gets downloaded is a Cobalt Strike beacon, typically used by hackers for network surveillance and communications. In this case it leads to the downloading of two backdoors onto victims’ computers.
Anonymous group strikes Russian company
On the other side, the Anonymous hactivist group has reportedly struck the German subsidiary of the Russian energy company Rosneft. Toby Lewis, global head of threat analysis at Darktrace, notes that Anonymous is backing up its claim with screenshots that show wiped corporate iPhones and at least one file server. The attackers allege weak and easily guessed iPhone passwords helped.
“The urgent challenge for defenders of critical national infrastructure globally is to be able to interrupt attacks once they get inside, before normal business operations are disrupted and before widespread shutdowns,” Lewis wrote.