Double Trouble: AcidRain & AcidPour Wipers Wreak Havoc in Geopolitical Conflicts

A recent cyberattack in Ukraine used wiper malware, AcidRain, and a variant, AcidPour, to target critical infrastructure, erase data, and disrupt operations, highlighting their growing role in cyber warfare as researchers at SentinelOne and Ruben Santamarta confirmed the attacks’ impact. 

The AcidRain wiper attack coincided with the Russo-Ukrainian conflict and targeted Viasat KA-SAT modems to disrupt satellite communications, which follows a trend of wiper malware usage in international conflicts, such as WannaCry, NotPetya, and Shamoon, which spread through networks and caused data destruction. 

Acid Rain Flowchart

Since AcidRain, other wipers like IsaacWiper, CaddyWiper, and Industroyer2 have emerged, indicating a rise in wiper attacks during conflicts.

More recently, wipers like BiBi, MultiLayer, and SameCoin targeted Israel during its conflict with Hamas, demonstrating the prioritization of attacking critical infrastructure during kinetic conflicts. 

It is a Trojan malware first detected in March 2022 that wipes data by checking if it has root privilege, and if it does, it directly calls the wipe function to delete non-system directories. 

Otherwise, it continues with other wiping functions targeting specific directories, which contain user data and system configuration, causing significant damage to the infected system. 

The wipe-related functions in AcidRain

AcidPour, a new Linux wiper malware variant of AcidRain, targets x86 based devices and expands its wiping capabilities, which overwrites itself to evade analysis, delays the wiping process with a configurable time, and wipes additional locations like Unsorted Block Images (UBI) and Logical Volume Device Mapper (DM) besides locations targeted by AcidRain.

It recursively wipes the /boot directory and wipes files or directories encountered during the recursion. 

 The AcidPour flowchart

Analysis of AcidRain and AcidPour wipers reveals similarities in their wiping logic, despite not definitively proving code reuse.

Its overlap could be due to shared dependencies on libraries like uClibc-ng, a common library for embedded systems. 

The overlap between the two wipers in a flow chart

The libraries often handle functionalities like process forking and I/O redirection, explaining the presence of similar code constructs (e.g., forking, session creation) in the decompiled wiper code. However, compiler optimizations might obscure the actual library usage by inlining the library’s code within the main wiper program.

AcidPour’s main function employs an uncommon technique for waiting: using select with a NULL file descriptor, which is mimicked by the uClibc library’s sleep function on specific builds. 

FunctionID matches the uClibc code in AcidRain (left) and AcidPour (right)

The decompiled AcidPour code seems to optimize for speed by omitting the microseconds field and potentially leveraging constant folding by the compiler, and analysis by Trellix reveals matches between Acid-wiper functions and FunctionID libraries on GitHub, including the presence of uClibc binaries, suggesting a potential connection. 

Overlap between the Acid wipers, taking library code into account

AcidRain and AcidPour wipers reveal code overlap beyond shared libraries, and while the main functions seem generic, the specific wiping methods using IOCTL calls and MTD structures exhibit significant similarity. 

The lack of overlap in VPNFilter’s ‘dstr’ wiper’s different logic suggests that the author of AcidPour either recreated AcidRain’s logic or copied it, suggesting a different source or an earlier version. 

Stay updated on Cybersecurity news, whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here