AcidPour Attacking Linux Systems Running On x86 Architecture

Linux systems are weak broadly for servers, cloud environments, and IoT devices, which makes them a unbelievable target to cybercriminals, correct as they are for any diversified platform.

Its wide utilization also provides a big field of assault, and its originate-source attribute permits hackers to analyze its codes for worn sides.

Cybersecurity researchers at SentinelLabs lately realized a fresh malware variant of AcidRain, dubbed “AcidPour,” that has been stumbled on attacking Linux systems running on x86 structure.

AcidPour Attacking Linux Methods

On March 16th, 2024, a suspicious Linux binary uploaded from Ukraine was once identified as a fresh variant called “AcidPour,” a wiper with same and expanded capabilities to the deplorable “AcidRain” that rendered KA-SAT modems inoperable throughout Russia’s invasion of Ukraine in 2022, disrupting companies and products across Europe.

Here’s the first confirmed AcidRain variant detected for the reason that fashioned analysis which assessed medium-self belief developmental similarities between AcidRain and Russia’s VPNFilter malware.

Despite a form of cyber operations in opposition to Ukraine since 2022, no further AcidRain variants have been observed.

Whereas AcidRain was once an MIPS-compiled Linux wiper indiscriminately focused on hardcoded paths on embedded devices, the fresh AcidPour variant is an x86 ELF binary with expanded, modified capabilities tailor-made for diversified targets.

Computerized code comparison across architectures yields low <30% similarity self belief.

Then again, deep analysis displays vital shared traits – the reboot mechanism, recursive itemizing wiping logic, and, critically, the IOCTL-based wipe approach linking AcidPour to AcidRain and VPNFilter’s “dstr” plugin.

Despite architectural variations limiting mutter comparison, the evidence suggests AcidPour is an developed, unquestionably expert variant rising on AcidRain’s adverse capabilities.

AcidPour expands AcidRain’s capabilities to target Linux devices with UBI and DM relief.

It permits raw gain staunch of entry to to flash reminiscence by process of /dev/ubiXX paths for embedded systems take care of handhelds, IoT, networking, and ICS devices.

Additionally, it handles /dev/dm-XX paths for logical quantity management, enabling gain staunch of entry to to SANs, NASes, and RAID arrays. AcidRain’s supported devices:-

Pragmatic is the coding kind for AcidPour; right here’s same to the formulation CaddyWiper was once weak in opposition to Ukrainian targets.

It’s written in C, without exterior libraries it uses mutter syscalls and inline meeting for operations resembling string manipulation.

CERT-UA attributed this exercise to UAC-0165, a Sandworm APT subgroup focused on Ukrainian infrastructure.

In September 2023, Ukraine’s SSSCIP linked UAC-0165 to GRU-linked hacktivist personas take care of SolntsepekZ, which claimed intrusions before AcidPour’s discovery.

SolntsepekZ uses Telegram and domains take care of solntsepek[. ]com (185.61.137.155).

Whereas the impact on ISPs take care of Triacom is ongoing, AcidPour’s capabilities fit this disruption starting March thirteenth, suggesting links between this persona and GRU operations.

Moreover, AcidPour displays improved refinement, technical trip, and an analytic formulation to maximise its fabricate on indispensable infrastructure, which requires ongoing monitoring.

Have confidence updated on Cybersecurity news, Whitepapers, and Infographics. Notice us on LinkedIn & Twitter.