New AcidPour data wiper targets Linux x86 Network Devices

SentinelLab’s security researcher Tom Hegel has spotted a new destructive malware dubbed AcidPour, which seems to be a variant of the AcidRain data wiper that was used to target satellite communications provider Viasat back in 2022. In a series of threads on X (formerly known as Twitter), Juan Andres Guerrero Saade, AVP of Research for SentinelLabs, provided details regarding the new data wiper, noting that it is designed to target Linux x86 IoT and networking devices. While 30% of AcidPour’s codebase overlaps with AcidRain, there are a couple of notable additions. According to Saade, AcidPour includes references to the file path ‘/dev/ubiXX’ indicating the malware is capable of wiping data from unsorted block image (UBI) file systems dealing with flash memory (IoT, networking devices, and potentially ICS). AcidPour also contains a reference to /dev/dm-XX', enabling it to target virtual block devices that are associated with Logical Volume Management (VLM) - Network Attached Storage devices, including QNAP and Synology, utilize LVM to manage RAID arrays.

Analyst Comments:
Since Russia’s invasion of Ukraine, data wipers have become a popular tool used by threat actors, given their destructive nature to delete files and data from targeted devices, leaving mission-critical systems inoperable. For instance, the attack on Viasat using AcidRain rendered KA-SAT modems inoperable in Ukraine, with further spillover from the attack causing 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control. While AcidRain targeted specific MIPS architecture, the addition of AcidPour (an ELF binary compiled for x86) will enable actors to target a broader range of devices and systems.

Suggested Corrections:
AcidPour was uploaded to VirusTotal from Ukraine on March 16, 2024. Currently, 32 security vendors are capable of detecting this new wiper. While it’s unclear if the new wiper has been used in attacks in the wild or who its targets are, organizations should routinely update software, conduct regular anti-virus scans, filter network traffic, implement multi-factor authentication, and create backups of mission-critical data to defend against potential attacks.