Russian APT Releases More Deadly Variant of AcidRain Wiper Malware
New AcidPour variant can attack a significantly broader range of targets including IoT devices, storage area networks, and handhelds.
March 22, 2024
Researchers have uncovered a more dangerous and prolific version of the wiper malware used by Russian military intelligence to disrupt satellite broadband service in Ukraine just prior to Russia's invasion of the country in February 2022.
The new variant, "AcidPour," bears multiple similarities with its predecessor but is compiled for X86 architecture, unlike AcidRain which targeted MIPS-based systems. The new wiper also includes features for its use against a significantly broader range of targets than AcidRain, according to researchers at SentinelOne who discovered the threat.
Wider Destructive Capabilities
"AcidPour's expanded destructive capabilities include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, which impacts handhelds, IoT, networking, or, in some cases, ICS devices," says Tom Hegel, senior threat researcher at SentinelOne. "Devices like storage area networks (SANs), network attached storage (NAS), and dedicated RAID arrays are also now in scope for AcidPour's effects."
Another new capability of AcidPour is a self-delete function that erases all traces of the malware from systems it infects, Hegel says. AcidPour is a relatively more sophisticated wiper overall than AcidRain, he says, pointing to the latter's excessive use of process forking and unwarranted repetition of certain operations as examples of its overall sloppiness.
SentinelOne discovered AcidRain in February 2022 following a cyberattack that knocked offline some 10,000 satellite modems associated with communications provider Viasat's KA-SAT network. The attack disrupted consumer broadband service for thousands of customers in Ukraine, and to tens of thousands of people in Europe. SentinelOne concluded that the malware was likely the work of a group associated with Sandworm (aka APT 28, Fancy Bear, and Sofacy), a Russian operation responsible for numerous disruptive cyberattacks in Ukraine.
SentinelOne researchers first spotted the new variant, AcidPour, on March 16 but have not observed anyone using it in an actual attack yet.
Sandworm Ties
Their initial analysis of the wiper revealed multiple similarities with AcidRain — which a subsequent deeper dive then confirmed. The notable overlaps that SentinelOne discovered included AcidPour's use of the same reboot mechanism as AcidRain, and identical logic for recursive directory-wiping.
SentinelOne also found AcidPour's IOCTL-based wiping mechanism to be the same as the wiping mechanism in AcidRain and in VPNFilter, a modular attack platform that the US Department of Justice has linked to Sandworm. IOCTL is a mechanism for securely erasing or wiping data from storage devices by sending specific commands to the device.
"One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2," SentinelOne said. Both CaddyWiper and Industroyer 2 are malware used by Russia-backed state groups in destructive attacks on organizations in Ukraine, even before Russia's February 2022 invasion of the country.
Ukraine's CERT has analyzed AcidPour and attributed to UAC-0165, a threat actor that is part of the Sandworm group, SentinelOne said.
AcidPour and AcidRain are among numerous wipers that Russian actors have deployed against Ukrainian targets in recent years —and particularly after the onset of the current war between the two countries. Even though the threat actor managed to knock thousands of modems offline in the Viasat attack, the company was able to recover and redeploy them after removing the malware.
In many other instances, though, organizations have been forced to discard systems following a wiper attack. One of the most notable examples is the 2012 Shamoon wiper attack on Saudi Aramco that crippled some 30,000 systems at the company.
As was the case with Shamoon and AcidRain, threat actors typically have not needed to make wipers sophisticated to be effective. That's because the only function of the malware is to overwrite or delete data from systems and render them useless, so evasive tactics and obfuscation techniques associated with data theft and cyber espionage attacks aren't necessary.
The best defense for wipers — or to limit damage from them — is to implement the same kind of defenses as for ransomware. That means having backups in place for critical data and ensuring robust incident response plans and capabilities.
Network segmentation is also key because wipers are more effective when they are able to spread to other systems, so that type of defense posture helps thwart lateral movement.
About the Author
You May Also Like