SentinelLabs experts have discovered a new destructive malware called AcidPour, which destroys data and targets IoT and network devices based on Linux x86.
Researchers believe that AcidPour is a variant of another well — known viper-AcidRain. AcidRain is a malware designed to destroy data on hacked routers and modems, which was used in an attack on the satellite communications provider Viasat, which ultimately affected the availability of services in Ukraine and Europe.
In the social network X, information security expert Juan Andrés Guerrero Saade gave some details about the new version of the malware, noting that it is not yet known whether it was used in any real attacks, and who could be its target.
AcidPour is similar to AcidRain in many ways, for example, it targets certain directories and paths that are typical for embedded Linux distributions, but the viper code base is only 30% the same. This indicates either a significant evolution of malvari, or that it has a different origin. The expert believes that another group of intruders could have copied some of AcidRain's functions.
The data destruction logic used by AcidPour is based on IOCTL (input/output control)and is similar to the dstr plugin for VPNFilter and the same AcidRain. So, viper contains links to /dev/ubiXX, that is, it is clearly focused on embedded systems that use flash memory.
There are also references to dev/dm-XX and /dev/dm-XX, which are related to virtual block devices associated with Logical Volume Management (LVM), respectively. For example, QNAP and Synology NAS systems use LVM to manage RAID arrays.
All this suggests that AcidPour can target a wider range of devices or systems than its predecessor, which only attacked a specific MIPS architecture.
SentinelLabs analysts shared a hash of malware, a sample of which can be found on VirusTotal, and called on the information security community to participate in a joint analysis, since the goals of AcidPour and the volume of its distribution are currently unclear.
Researchers believe that AcidPour is a variant of another well — known viper-AcidRain. AcidRain is a malware designed to destroy data on hacked routers and modems, which was used in an attack on the satellite communications provider Viasat, which ultimately affected the availability of services in Ukraine and Europe.
In the social network X, information security expert Juan Andrés Guerrero Saade gave some details about the new version of the malware, noting that it is not yet known whether it was used in any real attacks, and who could be its target.
AcidPour is similar to AcidRain in many ways, for example, it targets certain directories and paths that are typical for embedded Linux distributions, but the viper code base is only 30% the same. This indicates either a significant evolution of malvari, or that it has a different origin. The expert believes that another group of intruders could have copied some of AcidRain's functions.
The data destruction logic used by AcidPour is based on IOCTL (input/output control)and is similar to the dstr plugin for VPNFilter and the same AcidRain. So, viper contains links to /dev/ubiXX, that is, it is clearly focused on embedded systems that use flash memory.
There are also references to dev/dm-XX and /dev/dm-XX, which are related to virtual block devices associated with Logical Volume Management (LVM), respectively. For example, QNAP and Synology NAS systems use LVM to manage RAID arrays.
All this suggests that AcidPour can target a wider range of devices or systems than its predecessor, which only attacked a specific MIPS architecture.
SentinelLabs analysts shared a hash of malware, a sample of which can be found on VirusTotal, and called on the information security community to participate in a joint analysis, since the goals of AcidPour and the volume of its distribution are currently unclear.
