Linux systems are used widely for servers, cloud environments, and IoT devices, which makes them an attractive target to cybercriminals, just as they are for any other platform.
Its extensive usage also provides a big area of attack, and its open-source characteristic enables hackers to analyze its codes for weak points.
Cybersecurity researchers at SentinelLabs recently discovered a new malware variant of AcidRain, dubbed “AcidPour,” that has been found attacking Linux systems running on x86 architecture.
AcidPour Attacking Linux Systems
On March 16th, 2024, a suspicious Linux binary uploaded from Ukraine was identified as a new variant called “AcidPour,” a wiper with similar and expanded capabilities to the infamous “AcidRain” that rendered KA-SAT modems inoperable during Russia’s invasion of Ukraine in 2022, disrupting services across Europe.
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
- The problem of vulnerability fatigue today
- Difference between CVSS-specific vulnerability vs risk-based vulnerability
- Evaluating vulnerabilities based on the business impact/risk
- Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
This is the first confirmed AcidRain variant detected since the original analysis which assessed medium-confidence developmental similarities between AcidRain and Russia’s VPNFilter malware.
Despite numerous cyber operations against Ukraine since 2022, no further AcidRain variants have been observed.
While AcidRain was an MIPS-compiled Linux wiper indiscriminately targeting hardcoded paths on embedded devices, the new AcidPour variant is an x86 ELF binary with expanded, modified capabilities tailored for different targets.
Automated code comparison across architectures yields low <30% similarity confidence.
However, deep analysis reveals notable shared traits – the reboot mechanism, recursive directory wiping logic, and, critically, the IOCTL-based wipe technique linking AcidPour to AcidRain and VPNFilter’s “dstr” plugin.
Despite architectural differences limiting direct comparison, the evidence suggests AcidPour is an evolved, specialized variant expanding on AcidRain’s destructive capabilities.
.webp)
AcidPour expands AcidRain’s capabilities to target Linux devices with UBI and DM support.
It enables raw access to flash memory via /dev/ubiXX paths for embedded systems like handhelds, IoT, networking, and ICS devices.
Additionally, it handles /dev/dm-XX paths for logical volume management, enabling access to SANs, NASes, and RAID arrays. AcidRain’s supported devices:-
.webp)
Pragmatic is the coding style for AcidPour; this is similar to the way CaddyWiper was used against Ukrainian targets.
It is written in C, without external libraries it uses direct syscalls and inline assembly for operations such as string manipulation.
CERT-UA attributed this activity to UAC-0165, a Sandworm APT subgroup targeting Ukrainian infrastructure.
In September 2023, Ukraine’s SSSCIP linked UAC-0165 to GRU-linked hacktivist personas like SolntsepekZ, which claimed intrusions before AcidPour’s discovery.
.webp)
SolntsepekZ uses Telegram and domains like solntsepek[. ]com (185.61.137.155).
While the impact on ISPs like Triacom is ongoing, AcidPour’s capabilities fit this disruption starting March 13th, suggesting links between this persona and GRU operations.
Moreover, AcidPour shows improved refinement, technical expertise, and an analytic approach to maximize its effect on vital infrastructure, which requires ongoing monitoring.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.