Researchers have discovered a more dangerous and prolific version of the wiper malware used by Russian military intelligence to disrupt satellite broadband service in Ukraine just before Russia’s February 2022 invasion of the country.
The new variant”acidFor,” features multiple similarities to its predecessor but is compiled for the X86 architecture, unlike AcidRain which targeted MIPS-based systems. The new wiper also includes features for its use against a significantly wider range of targets than to AcidRain, according to SentinelOne researchers who discovered the threat.
Wider destructive capabilities
“AcidPour’s extended destructive capabilities include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, which impacts handhelds, IoT, networks, or, in some cases, ICS devices,” says Tom Hegel, senior researcher on threats at SentinelOne. “Even devices such as storage area networks (SAN), network attached storage (NAS) and dedicated RAID arrays are now within the scope of AcidPour’s effects.”
Another new feature of AcidPour is a self-delete function that erases all traces of the malware from the systems it infects, Hegel says. AcidPour is overall a relatively more sophisticated cleaner than AcidRain, he says, pointing to the latter’s overuse of the forking process and unwarranted repetition of certain operations as examples of its overall negligence.
SentinelOne discovered AcidRain in February 2022 following a cyber attack took approximately 10,000 satellite modems offline associated with the KA-SAT network of the communications provider Viasat. The attack disrupted broadband service for thousands of customers in Ukraine and tens of thousands of people in Europe. SentinelOne concluded that the malware was likely the work of a group associated with Sandworm (aka APT 28, Fancy Bear, and Sofacy), a Russian operation responsible for numerous disruptive cyber attacks in Ukraine.
SentinelOne researchers first spotted the new variant, AcidPour, on March 16, but have yet to observe anyone using it in an actual attack.
Sandworm bonds
Their initial analysis of the wiper revealed multiple similarities to AcidRain, which further investigation confirmed. Notable overlaps discovered by SentinelOne included AcidPour’s use of the same restart mechanism as AcidRain and the same logic for recursively deleting directories.
SentinelOne also found that AcidPour’s IOCTL-based cleanup mechanism is identical to AcidRain’s and VPNFilter’s cleanup mechanism, a modular attack platform available to the United States Department of Justice related to the sandworm. IOCTL is a mechanism to securely erase or erase data from storage devices by sending specific commands to the device.
“One of the most interesting aspects of AcidPour is its pragmatic coding style CaddyWiper widely used against Ukrainian targets along with major malware such as Industry 2“SentinelOne said. Both CaddyWiper and Industroyer 2 are malware used by Russian-backed state groups in destructive attacks against organizations in Ukraine, even before Russia’s February 2022 invasion of the country.
Ukrainian CERT analyzed AcidPour and attributed it to UAC-0165, a malicious actor that is part of the Sandworm group, SentinelOne said.
AcidPour and AcidRain are among several cleaners that Russian actors have deployed against Ukrainian targets in recent years, and particularly since the start of the current war between the two countries. Although the threat actor managed to take thousands of modems offline during the Viasat attack, the company was able to recover and redistribute them after removing the malware.
In many other cases, however, organizations have been forced to delete systems following a wiper attack. One of the most notable examples is 2012 Shamoon attack on Saudi Aramco that crippled approximately 30,000 of the company’s systems.
As with Shamoon and AcidRain, threat actors typically don’t need to make wipers sophisticated to be effective. This is because the malware’s only function is to overwrite or delete data from systems and make them unusable evasive tactics and there is no need for obfuscation techniques associated with data theft and cyber espionage attacks.
The best defense against wipers, or to limit the damage that results from them, is to implement the same type of defenses as for ransomware. This means having backups for critical data and ensuring robust incident response plans and capabilities.
Network segmentation is also key because wipers are most effective when they are able to spread to other systems, so that kind of defense posture helps counteract lateral movement.