A new variant of a data-wiping malware called AcidRain, designed specifically to target x86 Linux devices, has been detected in circulation.
The malware, nicknamed AcidPour, is compiled for x86 Linux devices, SentinelOne’s Juan Andres Guerrero-Saade said in a series of X posts.
“The new variant […] is an ELF binary compiled for x86 (not MIPS) and although it refers to similar devices/strings, it is a vastly different code base,” Guerrero-Saade noticed.
AcidRain first came to light in the early days of the Russian-Ukrainian war, with malware used against the KA-SAT modems of the US satellite company Viasat.
An ELF binary compiled for MIPS architectures is capable of deleting the filesystem and several files of known storage devices by recursively iterating over directories common for most Linux distributions.
The cyberattack was later attributed to Russia by the Five Eyes nations, along with Ukraine and the European Union.
AcidPour, as the new variant is called, is designed to erase contents from RAID arrays and Unsorted Block Image (UBI) file systems through the addition of file paths such as “/dev/dm-XX” and “/dev/ ubiXX”, respectively.
It is currently unclear who the intended victims are, although SentinelOne said it had informed Ukrainian agencies. The exact scope of the attacks is currently unknown.
The discovery once again highlights the use of wiper malware to paralyze targets, even as threat actors are diversifying their attack methods for maximum impact.