New AcidPour Wiper Targeting Linux Devices Spotted in Ukraine

Researchers at Sentinel Labs, uncovered a new variant of the destructive wiper malware AcidRain, called Acid Pour. AcidRain has been linked to Russian military intelligence and was notably used in a cyber-attack against Viasat’s KA-SAT satellites in Ukraine in May 2022, causing widespread disruptions. Acid Pour discovered on March 16, 2024, in a suspicious Linux binary from Ukraine, shares similarities with AcidRain, but extends its capabilities. It targets specific directories and device paths common in embedded Linux distributions, with a similar reboot mechanism. The new variant expands to include Linux Unsorted Block Image and Device Mapper logic, designed for flash memory devices and storage translation.

Sentinel Labs noted that Acid Pour’s enhanced capabilities could disable various embedded devices, including networking IoT, storage systems, and potentially industrial control systems running Linux x86 distributions. While AcidRain and AcidPour show proximity, only about 30% of their codebases overlap, indicating a potential different threat actor.

Security Officer Comments:
Ukrainian SSCIP attributed AcidPour to UAC-0165, a subgroup of Sandworm, an APT group associated with Russia’s GRU. The ongoing disruption of Ukranian telecommunication networks since March 13, aligns with the emergence of AcidPour. Sentinel Labs concluded that the transition from AcidRain to AcidPour reflects a strategic intent to cause substantial operational impact, showcasing both technical refinement and targeted selection to disrupt critical infrastructure and communications.

Suggested Corrections:
The SentinelLabs analyst publicly shared the malware's hash and called on the security research community to participate in collaborative analysis and verification, as the targets and distribution volume are currently unknown. A sample can be found on VirusTotal.The discovery of AcidPour is a wake-up call for the Linux community. The evolving nature of malware threats demands constant vigilance and adaptability from security practitioners. By staying informed, collaborating globally, and implementing robust security measures, Linux admins, infosec professionals, internet security enthusiasts, and sysadmins can effectively defend against current and future malware variants.