A brand new damaging malware named AcidPour was noticed within the wild, that includes data-wiper performance and focusing on Linux x86 IoT and networking gadgets.
Information wipers are a class of malware designed for damaging assaults that delete recordsdata and information on focused gadgets. This sort of malware is often used to disrupt a corporation’s operations for political causes or as a distraction from a larger attack.
The brand new malware noticed by SentinelLabs’ safety researcher Tom Hegel, AcidPour, is taken into account a variant of the AcidRain information wiper.Â
AcidRain is an information wiping malware designed to erase recordsdata on routers and modems. The malware was utilized in a cyberattack against satellite communications provider Viasat, which impacted service availability throughout Ukraine and Europe.
AcidPour was uploaded from Ukraine on March 16, 2024, which complicates tracing its operators, as AcidRain was used in opposition to the nation previously.
A thread on X by Juan Andrés Guerrero Saade offers some particulars concerning the new variant, although it’s unknown whether or not it has been utilized in any assaults within the wild and who its targets may need been.
The AcidPour wiper
AcidPour shares many similarities with AcidRain, equivalent to focusing on particular directories and gadget paths widespread in embedded Linux distributions, however their codebase overlaps by an estimated 30%.
This means both vital evolution or presumably a distinct origin. Guerrero Saade says it isn’t unlikely {that a} completely different group of attackers replicated a few of AcidRain’s performance.
AcidPour shares enter/output management (IOCTL)-based wiping logic with VPNFilter’s ‘dstr’ plugin and AcidRain, indicating a continuation or adaptation of the beforehand documented malicious strategies.Â
The brand new malware contains references to ‘/dev/ubiXX’ indicating a concentrate on embedded techniques utilizing flash reminiscence.
There may be additionally a reference to and ‘/dev/dm-XX’, that are digital block gadgets related to Logical Quantity Administration (LVM), respectively. Community Hooked up Storage gadgets, together with QNAP and Synology, make the most of LVM to handle RAID arrays.
These additions counsel that AcidPour may goal a broader vary of gadgets or techniques than its predecessor, which focused the extra particular MIPS structure.
The SentinelLabs analyst publicly shared the malware’s hash and known as on the safety analysis neighborhood to take part in collaborative evaluation and verification, because the targets and distribution quantity are at present unknown. A pattern might be found on VirusTotal.
These additions counsel that AcidPour may goal a broader vary of gadgets or techniques than its predecessor, which focused the extra particular MIPS structure.
“It is a risk to observe. My concern is elevated as a result of this variant is a extra highly effective AcidRain variant, masking extra {hardware} and working system sorts,” warned Rob Joyce, the NSA’s Director of Cybersecurity.
