In March 2024, a new variant of the AcidRain wiper malware dubbed “AcidPour” was noticed. It targets Linux data storage devices and permanently erases data from the targeted systems, making them inoperative.
It targets crucial sectors of Linux devices such as SCSI SATA, Memory Technology Devices (MTD), MultiMediaCard Storage, DMSETUP, and Unsorted Block Image devices, overwriting contents and making recovery virtually impossible.
This damaging malware, which is frequently used in coordinated cyberattacks, can severely compromise an organization’s or an individual’s data.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
The Malware’s Behaviour
AcidRain is an ELF malware that targets MIPS-based modems and routers. It is linked to the ViaSat KA-SAT communication disruption that occurred during the early stages of the full-scale invasion of Ukraine in 2022.
Unlike AcidRain, AcidPour has a defense evasion technique where it overwrites itself with a generated sequence of bytes from 0-255 followed by a command line message “Ok”.
This technique serves as a defense evasion for analysts and malware researchers”, Splunk Threat Research Team shared with Cyber Security News.
Using the select() function to put AcidPour’s code to sleep is another intriguing trick researchers noticed.
The timeout option, which indicates the maximum duration (in seconds) that select() should wait for events before returning, can be computed using two alternative parameters from AcidPour.
Malware Wipes Out Data On The Vulnerable Linux System
The malware systematically erased, overwritten, and wiped multiple directories as part of its destructive payload.
It primarily targets important folders, like “/boot,” which are necessary for rebooting the compromised Linux system.
Recovery is almost impossible because the files in these targeted directories are replaced with 32KB of randomly generated bytes.
AcidPour targets a broader range of device node paths for wiping out such as /dev/sd*, /dev/mtd*, /dev/mtdblock*, /dev/block/mtdblock*, /dev/mmcblk*, /dev/block/mmcblk*, /dev/loop*, /dev/dm-* and /dev/Ubi*
The wiper repeatedly and methodically overwrites files on the designated device paths with 256KB (0x40000) random-generated buffers by employing the file block overwrite technique.
AcidPour’s alternative method is comparable to AcidRain’s, which uses system Input/Output Control (IOCTL) commands to execute malicious actions.
“System Shutdown/Reboot (T1529)After wiping and deleting files, the compromised host or system will reboot, rendering it unbootable as all critical files have been wiped and deleted”, researchers said.
While AcidPour and AcidRain, or VPNFilter’s ‘dstr’ module, have similar file wiping capabilities, researchers point out that AcidPour is specifically made to destroy or damage compromised host or production networks, whereas VPNFilter—which Cisco Talos first identified—has extra features for data exfiltration and code injection.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access