Russian APT Releases Extra Lethal Variant of AcidRain Wiper Malware

Russian APT Releases More Deadly Variant of AcidRain Wiper Malware

Researchers have uncovered a extra harmful and prolific model of the wiper malware utilized by Russian navy intelligence to disrupt satellite tv for pc broadband service in Ukraine simply previous to Russia’s invasion of the nation in February 2022.

The brand new variant, “AcidPour,” bears a number of similarities with its predecessor however is compiled for X86 structure, in contrast to AcidRain which focused MIPS-based methods. The brand new wiper additionally contains options for its use towards a considerably broader vary of targets than AcidRain, in response to researchers at SentinelOne who found the risk.

Wider Damaging Capabilities

“AcidPour’s expanded damaging capabilities embrace Linux Unsorted Block Picture (UBI) and Gadget Mapper (DM) logic, which impacts handhelds, IoT, networking, or, in some circumstances, ICS units,” says Tom Hegel, senior risk researcher at SentinelOne. “Units like storage space networks (SANs), community connected storage (NAS), and devoted RAID arrays are additionally now in scope for AcidPour’s results.”

One other new functionality of AcidPour is a self-delete operate that erases all traces of the malware from methods it infects, Hegel says. AcidPour is a comparatively extra refined wiper general than AcidRain, he says, pointing to the latter’s extreme use of course of forking and unwarranted repetition of sure operations as examples of its general sloppiness.

SentinelOne found AcidRain in February 2022 following a cyberattack that knocked offline some 10,000 satellite modems related to communications supplier Viasat’s KA-SAT community. The assault disrupted shopper broadband service for 1000’s of shoppers in Ukraine, and to tens of 1000’s of individuals in Europe. SentinelOne concluded that the malware was seemingly the work of a bunch related to Sandworm (aka APT 28, Fancy Bear, and Sofacy), a Russian operation chargeable for quite a few disruptive cyberattacks in Ukraine.

SentinelOne researchers first noticed the brand new variant, AcidPour, on March 16 however haven’t noticed anybody utilizing it in an precise assault but.

Sandworm Ties

Their preliminary evaluation of the wiper revealed a number of similarities with AcidRain — which a subsequent deeper dive then confirmed. The notable overlaps that SentinelOne found included AcidPour’s use of the identical reboot mechanism as AcidRain, and equivalent logic for recursive directory-wiping.

SentinelOne additionally discovered AcidPour’s IOCTL-based wiping mechanism to be the identical because the wiping mechanism in AcidRain and in VPNFilter, a modular assault platform that the US Division of Justice has linked to Sandworm. IOCTL is a mechanism for securely erasing or wiping knowledge from storage units by sending particular instructions to the gadget.

“Some of the attention-grabbing elements of AcidPour is its coding fashion, paying homage to the pragmatic CaddyWiper broadly utilized towards Ukrainian targets alongside notable malware like Industroyer 2,” SentinelOne stated. Each CaddyWiper and Industroyer 2 are malware utilized by Russia-backed state teams in damaging assaults on organizations in Ukraine, even earlier than Russia’s February 2022 invasion of the nation.

Ukraine’s CERT has analyzed AcidPour and attributed to UAC-0165, a risk actor that’s a part of the Sandworm group, SentinelOne stated.

AcidPour and AcidRain are amongst quite a few wipers that Russian actors have deployed towards Ukrainian targets lately —and significantly after the onset of the present struggle between the 2 nations. Despite the fact that the risk actor managed to knock 1000’s of modems offline within the Viasat assault, the corporate was in a position to get better and redeploy them after eradicating the malware.

In lots of different situations, although, organizations have been pressured to discard methods following a wiper assault. Some of the notable examples is the 2012 Shamoon wiper assault on Saudi Aramco that crippled some 30,000 methods on the firm.

As was the case with Shamoon and AcidRain, risk actors usually haven’t wanted to make wipers refined to be efficient. That is as a result of the one operate of the malware is to overwrite or delete knowledge from methods and render them ineffective, so evasive ways and obfuscation methods related to knowledge theft and cyber espionage assaults aren’t essential.

The most effective protection for wipers — or to restrict harm from them — is to implement the identical type of defenses as for ransomware. Meaning having backups in place for vital knowledge and guaranteeing sturdy incident response plans and capabilities.

Community segmentation can be key as a result of wipers are more practical when they can unfold to different methods, in order that sort of protection posture helps thwart lateral motion.

Notify of
Inline Feedbacks
View all comments
Previous Post
Apple Is Sparse With Details in Latest iOS Update

Apple Is Sparse With Particulars in Newest iOS Replace

Next Post

Russian Hackers Use ‘WINELOADER’ Malware to Goal German Political Events

Related Posts