Russia unleashes dangerous new wiper


Russia is using a new malware variant with expanded capabilities to target Ukrainian telecommunication networks, cybersecurity threat intelligence platform SentinelLabs has discovered. The launch coincides with enduring disruptions experienced by the country’s internet service providers (ISPs).

Researchers named the novel wiper AcidPour, as it has similarities to the previous variant, AcidRain. The previous version of the malware was first deployed at the start of the Russian invasion of Ukraine in an attempt to disable vital Ukrainian military communications. This attack is also known as the Viasat incident.

On February 24th, 2022, it disabled the Eutelsat KA-SAT modems used by Ukraine’s military. The attack spilled over to Europe and caused other disruptions, such as leaving 5,800 Enercon wind turbines in Germany without remote control and monitoring.

Wiper is a type of malware specifically designed to erase or destroy data on compromised systems and cause permanent damage. Usually, wipers are used to sabotage critical systems during larger cyber warfare campaigns.

“The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential,” SentinelLabs researchers warn. “Our analysis confirms the connection between AcidRain and AcidPour, effectively connecting it to threat clusters previously publicly attributed to Russian military intelligence. CERT-UA has also attributed this activity to a Sandworm subcluster.”

The new malware variant was identified on March 16th, 2024, when a suspicious Linux binary was uploaded from Ukraine. According to the report, no other similar samples or variants have been detected or publicly reported until now.

The discovery coincides with multiple outages

SentinelLabs hasn’t yet conclusively verified specific targets of AcidPour. However, multiple Ukrainian telecommunication networks have been offline since March 13th. Disruptions recently affected Triangulum, a group of companies providing telephone and internet services under the Triacom brand, and Misto TV in Ukraine. The attacks were publicly claimed by a GRU-operated hacktivist persona on Telegram.

“A review of the current state of these alleged target organizations indicates the impact is still ongoing,” SentinelLabs said.

What’s new with AcidPour?

The new wiper targets x86 architecture and now includes logic to better target RAID arrays and large storage devices.

“It operates by iterating over all possible devices in hardcoded paths, wiping each, before wiping essential directories,” the researchers explained, adding that the wiper lacks specificity and could serve as a “more generic tool” to disable a wider swath of devices reliant on embedded Linux distributions.

Depending on the device type, AcidRain engages a different wiping mechanism, overwriting the device repeatedly with the contents of a 256kb buffer.

AcidRain now also includes a self-delete function.

“It maps the original file into memory, then overwrites it with a sequence of bytes ranging from 0-255 followed by a polite OK,” researchers noted.

AcidPour is programmed in C without relying on statically-compiled libraries or imports. Most functionality is implemented via direct syscalls, many called through the use of inline assembly and opcodes.

“The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict significant operational impact. This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications,” researchers concluded.

Little doubt over attribution

AcidPour is built on AcidRain, which had enough technical similarities to previous malware variants the US government attributed to the Russian government, going back to 2018 when the FBI and Department of Justice attributed a similar VPNFilter campaign to the Russian government.

On May 10th, 2022, the European Union issued an official condemnation of this activity, holding the Russian government responsible.

The Computer Emergency Response Team of Ukraine CERT-UA confirmed SentinelLab's findings and attributed the malicious activity to the group linked with Russia’s Intelligence Directorate GRU.