A new version of data wiping malware called AcidRain has been observed in the wild, which is specifically designed for targeting Linux x86 devices, SentinelOne's Juan Andres Guerrero-Saade said in a series of posts on X.
AcidRain is a data wiping malware that was previously linked to a massive hack of international satellite internet and TV provider Viasat that occurred on February 24, 2022 - a day when Russia invaded Ukraine - and rendered Viasat KA-SAT modems inoperable in Ukraine.
The attackers, believed to be associated with Russia, took advantage of a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. They then used the network access to execute commands on a large number of residential modems that overwrote key data in flash memory on the modems, cutting off access to the network.
AcidRain is an ELF MIPS malware designed to wipe modems and routers. Security researchers identified some similarities between AcidRain and the VPNFilter malware linked to the Russian state-backed threat actor Sandworm. Following the 2018 public exposure of the VPNFilter malware, Sandworm developed a replacement malware framework called ‘Cyclops Blink’, which has mainly targeted firewall appliances such as WatchGuard devices, as well as Asus routers.
The new AcidRain variant, dubbed “AcidPour,” was uploaded to VirusTotal, a malware information-sharing platform, on March 16, 2024. The new version comes with new features and could be used as part of a “larger service disruption by Russia” to wipe the contents of not just modems but a range of other devices.
Juan Andres Guerrero-Saade said that AcidPour has a largely different codebase and is designed to wipe content from RAID arrays and Unsorted Block Image (UBI) file systems commonly used in embedded systems largely dealing with flash memory (IoT, networking devices, or some ICS) through the addition of file paths like “/dev/dm-XX” and “/dev/ubiXX,” respectively.
That said, the researcher notes that while currently it’s unclear who the victim is, SentinelOne alerted relevant Ukrainian authorities to a potential threat.
