Unearthing Newly Discovered Wiper Malware Linked to Kremlin
Security researchers have recently uncovered a previously unknown wiper malware associated with the Kremlin, which was used in an operation two years ago to target more than 10,000 satellite modems, primarily situated in Ukraine, just before Russia’s invasion of the country.
Introduction to AcidPour Malware
Named AcidPour by researchers at Sentinel One, this new malware exhibits striking similarities to AcidRain, another wiper identified in March 2022, which Viasat confirmed was utilized in the attack on its modems around that time. Wiper malware is designed to erase data or render devices inoperable, and AcidRain was found on over 10,000 Eutelsat KA-SAT modems owned by the broadband provider, installed by attackers who gained access to the company’s private network.
Connection to Previous Malware
Sentinel One, the same firm that discovered AcidRain, noted that the technical overlaps between AcidRain and malware attributed to the Russian government in 2018, known as VPNFilter, strongly suggest that they were developed by the same team. The discovery of AcidPour, with similarities to AcidRain, further reinforces the link to Kremlin-affiliated developers.
Technical Details
- Utilization of the same reboot mechanism
- Similar recursive directory wiping logic
- Employment of the same IOCTL-based wiping mechanism
Programming Analysis
Notably, AcidPour is programmed in C without using statically compiled libraries or imports, implementing most functionalities through direct syscalls, often utilizing inline assembly and opcodes, similar to the approaches used in CaddyWiper and Industroyer malware.
Connection to Sandworm and Russian Threat Group
There are significant parallels between AcidPour and malware linked to Sandworm’s activities in targeting Ukrainian infrastructure, indicating a plausible connection to the same threat group behind previous attacks. Ukrainian officials have attributed AcidPour to a splinter group associated with Sandworm.
Impact on Ukrainian Telecommunications
Speculation suggests that AcidPour was used to disrupt multiple Ukrainian telecommunications networks, leading to widespread outages that have persisted since March 13. The strategic targeting and capabilities of this malware hint at a calculated approach to inflict significant operational impact on critical infrastructure and communications.
Image/Photo credit: source url