Researchers have uncovered a extra harmful and prolific model of the wiper malware utilized by Russian army intelligence to disrupt satellite tv for pc broadband service in Ukraine simply previous to Russia’s invasion of the nation in February 2022.
The brand new variant, “AcidPour,” bears a number of similarities with its predecessor however is compiled for X86 structure, in contrast to AcidRain which focused MIPS-based methods. The brand new wiper additionally consists of options for its use in opposition to a considerably broader vary of targets than AcidRain, in response to researchers at SentinelOne who found the risk.
Wider Harmful Capabilities
“AcidPour’s expanded damaging capabilities embrace Linux Unsorted Block Picture (UBI) and Machine Mapper (DM) logic, which impacts handhelds, IoT, networking, or, in some instances, ICS units,” says Tom Hegel, senior risk researcher at SentinelOne. “Gadgets like storage space networks (SANs), community hooked up storage (NAS), and devoted RAID arrays are additionally now in scope for AcidPour’s results.”
One other new functionality of AcidPour is a self-delete perform that erases all traces of the malware from methods it infects, Hegel says. AcidPour is a comparatively extra subtle wiper total than AcidRain, he says, pointing to the latter’s extreme use of course of forking and unwarranted repetition of sure operations as examples of its total sloppiness.
SentinelOne found AcidRain in February 2022 following a cyberattack that knocked offline some 10,000 satellite tv for pc modems related to communications supplier Viasat’s KA-SAT community. The assault disrupted shopper broadband service for 1000’s of shoppers in Ukraine, and to tens of 1000’s of individuals in Europe. SentinelOne concluded that the malware was doubtless the work of a gaggle related to Sandworm (aka APT 28, Fancy Bear, and Sofacy), a Russian operation chargeable for quite a few disruptive cyberattacks in Ukraine.
SentinelOne researchers first noticed the brand new variant, AcidPour, on March 16 however haven’t noticed anybody utilizing it in an precise assault but.
Sandworm Ties
Their preliminary evaluation of the wiper revealed a number of similarities with AcidRain — which a subsequent deeper dive then confirmed. The notable overlaps that SentinelOne found included AcidPour’s use of the identical reboot mechanism as AcidRain, and equivalent logic for recursive directory-wiping.
SentinelOne additionally discovered AcidPour’s IOCTL-based wiping mechanism to be the identical because the wiping mechanism in AcidRain and in VPNFilter, a modular assault platform that the US Division of Justice has linked to Sandworm. IOCTL is a mechanism for securely erasing or wiping knowledge from storage units by sending particular instructions to the system.
“One of the crucial fascinating features of AcidPour is its coding fashion, paying homage to the pragmatic CaddyWiper broadly utilized in opposition to Ukrainian targets alongside notable malware like Industroyer 2,” SentinelOne mentioned. Each CaddyWiper and Industroyer 2 are malware utilized by Russia-backed state teams in damaging assaults on organizations in Ukraine, even earlier than Russia’s February 2022 invasion of the nation.
Ukraine’s CERT has analyzed AcidPour and attributed to UAC-0165, a risk actor that’s a part of the Sandworm group, SentinelOne mentioned.
AcidPour and AcidRain are amongst quite a few wipers that Russian actors have deployed in opposition to Ukrainian targets in recent times —and significantly after the onset of the present conflict between the 2 nations. Despite the fact that the risk actor managed to knock 1000’s of modems offline within the Viasat assault, the corporate was capable of get well and redeploy them after eradicating the malware.
In lots of different cases, although, organizations have been pressured to discard methods following a wiper assault. One of the crucial notable examples is the 2012 Shamoon wiper assault on Saudi Aramco that crippled some 30,000 methods on the firm.
As was the case with Shamoon and AcidRain, risk actors usually haven’t wanted to make wipers subtle to be efficient. That is as a result of the one perform of the malware is to overwrite or delete knowledge from methods and render them ineffective, so evasive techniques and obfuscation strategies related to knowledge theft and cyber espionage assaults aren’t essential.
The perfect protection for wipers — or to restrict harm from them — is to implement the identical type of defenses as for ransomware. Meaning having backups in place for important knowledge and guaranteeing sturdy incident response plans and capabilities.
Community segmentation can be key as a result of wipers are more practical when they’re able to unfold to different methods, in order that kind of protection posture helps thwart lateral motion.