New AcidPour wiper targeting Linux devices spotted in Ukraine


A new variant of the AcidRain wiper malware, known as AcidPour, has been discovered by SentinelOne’s threat intelligence team, SentinelLabs.

AcidRain is a destructive erasure malware attributed to Russian military intelligence.

In May 2022, AcidRain was used in a large-scale cyberattack against Viasat’s KA-SAT satellites in Ukraine.

The malware rendered KA-SAT modems inoperable in Ukraine and caused additional disruptions across Europe as the Russian invasion began.

AcidPour shows its proximity to AcidRain

On March 16, 2024, SentinelLabs researchers Juan Andrés Guerrero-Saade and Tom Hegel began observing a suspicious Linux binary downloaded from Ukraine.

They quickly realized that this activity had superficial similarities to malicious activity originating from AcidRain.

The new malware they observed also showed behaviors similar to AcidRain, such as targeting specific directories and device paths common in embedded Linux distributions.

AcidRain and AcidPour have a similar restart mechanism.  Source: SentinelOne
AcidRain and AcidPour have a similar restart mechanism. Source: SentinelOne

However, the new malware appeared to expand AcidRain’s capabilities and destructive potential to include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic.

UBI is a volume management system specifically designed for raw flash memory devices, such as those found in solid state drives and embedded systems.

DM is a Linux system that acts as a translator between applications (e.g. file systems) and physical storage devices.

They called the new variant AcidPour.

“Our technical analysis suggests that AcidPour’s expanded capabilities would enable it to better disable embedded devices, including networking, Internet of Things (IoT), large storage (RAID), and potentially industrial control systems (ICS) running x86 Linux distributions. » » wrote the SentinelLabs researchers.

AcidPour assigned to the Sandworm subgroup

Although SentinelLabs’ analysis showed proximity between AcidRain and AcidPour, researchers estimated that the code bases of the two programs only overlap by about 30%.

This suggests that AcidPour could have been developed by another threat actor.

Following Saade and Hegel’s initial report on X, it was reported that the Ukrainian SSCIP assigned AcidPour to UAC-0165, a subgroup of the so-called Sandworm.

Sandworm is an advanced persistent threat (APT) group believed to be operated by Unit 74455, a cyberwarfare unit of the Russian military intelligence service (GRU).

SentinelLabs’ findings coincide with the ongoing disruption of several Ukrainian telecommunications networks, apparently offline since March 13. The malicious campaign was publicly claimed by a GRU hacktivist via Telegram.

NSA Director Rob Joyce said on X that it was a “threat to watch out for.”

“My concern is even greater since this variant is a more powerful variant of AcidRain, covering more hardware types and operating systems,” he added.

In their report, Guerrero-Saade and Hegel of SentinelLabs concluded: “The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict significant operational impact. This progression reveals not only a refinement of the technical capabilities of these malicious actors, but also their calculated approach to selecting targets that maximize tracking effects, disrupting critical infrastructure and communications.

Leave a comment