A brand new variant of the wiper malware AcidRain, referred to as AcidPour, has been found by SentinelOne’s risk intelligence group, SentinelLabs.
AcidRain is harmful wiper malware attributed to Russian navy intelligence.
In Could 2022, AcidRain was utilized in a broad-scale cyber-attack in opposition to Viasat’s KA-SAT satellites in Ukraine.
The malware rendered KA-SAT modems inoperative in Ukraine and brought about extra disruptions all through Europe on the onset of the Russian invasion.
AcidPour Exhibits Proximity with AcidRain
On March 16, 2024, SentinelLabs researchers Juan Andrés Guerrero-Saade and Tom Hegel started observing a suspicious Linux binary uploaded from Ukraine.
They shortly realized that this exercise confirmed floor similarities with malicious actions originating from AcidRain.
The brand new malware they noticed additionally confirmed behaviors just like AcidRain’s, reminiscent of concentrating on particular directories and gadget paths widespread in embedded Linux distributions.
Nonetheless, the brand new malware appeared to increase upon AcidRain’s capabilities and harmful potential to incorporate Linux Unsorted Block Picture (UBI) and Gadget Mapper (DM) logic.
UBI is a quantity administration system particularly designed for uncooked flash reminiscence gadgets, reminiscent of these present in solid-state drives (SSDs) and embedded techniques.
DM is a Linux system that acts as a translator between purposes (e.g., filesystems) and bodily storage gadgets.
They known as the brand new variant AcidPour.
It has been an fascinating weekend! Eagle-eyed @TomHegel noticed what seems to be a brand new variant of AcidRain. Notably this pattern was compiled for Linux x86 gadgets, we’re calling it ‘AcidPour’. These of you that analyzed AcidRain will acknowledge a few of the strings. Evaluation 🧵 pic.twitter.com/wY3PJKaOwK
— J. A. Guerrero-Saade (@juanandres_gs) March 18, 2024
“Our technical evaluation means that AcidPour’s expanded capabilities would allow it to higher disable embedded gadgets together with networking, Web-of-Issues (IoT), massive storage (RAIDs), and probably industrial management techniques (ICS) gadgets working Linux x86 distributions,” wrote SentinelLabs researchers.
AcidPour Attributed to Sandworm Subcluster
Though the SentinelLabs evaluation confirmed proximity between AcidRain and AcidPour, the researchers assessed that the 2 applications’ codebases solely overlap by an estimated 30%.
This means that AcidPour may have been developed by a distinct risk actor.
Following Saade and Hegel’s preliminary reporting on X it was reported that the Ukrainian SSCIP attributed AcidPour to UAC-0165, a subgroup of what’s referred to as Sandworm.
Sandworm is a sophisticated persistent risk (APT) group believed to be operated by Unit 74455, a cyberwarfare unit of Russia’s navy intelligence service (GRU).
The SentinelLabs findings coincide with the enduring disruption of a number of Ukrainian telecommunication networks, reportedly offline since March 13. The malicious marketing campaign was publicly claimed by a GRU-operated hacktivist persona through Telegram.
The NSA Director Rob Joyce stated on X that it’s “a risk to look at.”
“My concern is elevated as a result of this variant is a extra highly effective AcidRain variant, overlaying extra {hardware} and working system varieties,” he added.
It is a risk to look at. My concern is elevated as a result of this variant is a extra highly effective AcidRain variant, overlaying extra {hardware} and working system varieties. https://t.co/h0s6pJGuzv
— Rob Joyce (@NSA_CSDirector) March 19, 2024
Of their report, SentinelLabs’ Guerrero-Saade and Hegel concluded: “The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict important operational impression. This development reveals not solely a refinement within the technical capabilities of those risk actors but additionally their calculated strategy to pick targets that maximize follow-on results, disrupting vital infrastructure and communications.”
