Researchers have uncovered a new variant of the AcidRain Linux malware that wiped thousands of modems and network routers in Ukraine two years ago, and the updated malware looks to be aimed at a broader range of devices, including things such as NAS storage and other network devices.
The newer variant is known as AcidPour and researchers from SentinelOne’s SentinelLabs discovered it on Saturday after some monitoring tools they had set up after the initial AcidRain attacks in 2022 picked up a new sample. This was the first new sample of the malware that the tools had found since those first intrusions, and the researchers quickly discovered that AcidPour had significant similarities to AcidRain, but was nowhere near identical. The original malware was compiled for the MIPS architecture, which is often used in embedded Linux devices, while the new variant is designed for x86 systems. There’s about a 30 percent overlap in the codebases of the two variants, and they both have the ability to wipe data and system information from target devices, though they go about it in different ways.
“It’s like the same sculptor trying to make the same statue but with different materials,” said Juan Andres Guerrero-Saade, AVP of SentinelLabs.
SentinelLabs’ analysis found that AcidPour looks to be targeted at systems that rely on flash memory. That could include some embedded devices, network attached storage devices, RAID arrays, and some networking devices. The wiping logic for both variants is similar, Guerrero-Saade said, but not identical. In the case of AcidRain, the malware installation was the last step of complex operations that involved several other toolkits and steps.
“I would assume it’s the same situation here. This is the end goal of the operation here, but it’s hard for us to judge the other steps, since we haven’t seen them,” Guerrero-Saade said. “The real payoff for something like this is if you have supply chain access or something like that and you can burn everything in your path.”
“We didn’t want to take it at face value. The similarities really hit you in the way it’s architected."
The original AcidRain malware attacks occurred in the early days of Russia’s invasion of Ukraine in 2022 and is one of many such pieces of wiper malware that have been deployed against Ukrainian since the invasion began. Other wiper attacks have hit desktop systems, modems, and other devices in the past. The modifications in AcidPour make it fit for a wider range of targets, which is worrisome.
“AcidPour isn’t very tailored in its design. When you get to the point where you have the opportunity to burn a bunch of embedded devices, this is what you would use. The big question is the stuff in data centers. That’s one thing you could hit with this,” Guerrero-Saade said.
Some of the key changes in AcidPour from the original AcidRain variant relate to the ability to target different types of memory. The modifications also made it more challenging to the researchers to analyze the AcidPour sample and figure out the connection to AcidRain.
“They’re both for Linux but the older one was for MIPS and this is for x86. That’s what makes it even more universal and from a reverse engineering standpoint, way harder to figure out how similar it is,” Guerrero-Saade said.
“We didn’t want to take it at face value. The similarities really hit you in the way it’s architected. They changed some logic and the way it’s built and the way it does what it wants to accomplish.”
SentinelLabs did not attribute the malware to any specific threat group.