SentinelOne discovered AcidPour, a destructive wiper malware targeting Linux systems, in March 2024. Unlike ransomware, AcidPour aims to irreversibly delete data on critical storage devices, rendering systems inoperable.
This malware variant, likely used in geopolitical attacks, poses a severe threat to data integrity by overwriting files on SCSI, MTD, MMC, DMSETUP, and UBI devices.
Its sophisticated design and ability to target a wide range of devices underscore the growing danger of wiper malware and the urgent need for robust detection and mitigation strategies.
AcidPour employs a dual defense evasion strategy. First, it overwrites its executable with random bytes and a marker, hindering analysis. Second, it leverages process isolation through fork() and setsid() to obfuscate its activities.
Additionally, it redirects standard file descriptors to /dev/null for stealth. Time-based evasion is achieved using the select() function with configurable timeouts, allowing the malware to introduce unpredictable delays, complicating analysis and detection.
The malware executes data destruction (T1485) by systematically erasing critical directories, including “/boot”. It overwrites files within these directories with 32 KB of random data, rendering the system inoperable and significantly hindering data recovery efforts, aiming to cripple the compromised Linux machine and prevent its normal operation.
AcidPour targets and erases data from a wide range of storage devices, including HDDs, SSDs, flash-based storage in embedded systems, smartphones, and virtual disk images. The malware employs two distinct deletion methods based on the device type.
It specifically targets block devices like SCSI, SATA, MMC, and loopback devices, as well as MTD, UBI, and device mapper devices, indicating its ability to compromise various storage configurations and platforms.
Employing two primary data destruction methods, the first technique overwrites specified file blocks repeatedly with 256KB random data buffers, effectively corrupting file integrity.
The second method leverages IOCTL commands to manipulate memory directly. By obtaining memory region information, unlocking access, erasing contents, and performing out-of-bounds writes, AcidPour causes extensive damage to the system’s memory, rendering it inoperable.
According to Splunk Threat Research Team, AcidPour, a destructive malware, obliterates critical files from a compromised system, culminating in a system reboot and subsequent unbootability.
While sharing file-wiping capabilities with AcidRain and VPNFilter’s ‘dstr’ module, VPNFilter distinguishes itself through additional functionalities like data exfiltration and code injection. Conversely, AcidPour solely focuses on system destruction, differentiating it as a purely destructive tool.