AcidPour Wiper Targets IoT and Network Devices

By Riley ThompsonTechnology News

AcidPour Wiper Targets IoT and Network Devices

SentinelLabs experts have discovered a new destructive malware called AcidPour, which wipes data and targets IoT and network devices running on Linux x86. Researchers believe that AcidPour is a variant of another well-known wiper, AcidRain. For reference, AcidRain is malware designed to destroy data on compromised routers and modems, and was used in an attack on the satellite communications provider Viasat, which ultimately affected service availability in Ukraine and Europe.

On the social network X, cybersecurity expert Juan Andrés Guerrero Saade shared some details about the new malware variant, noting that it is still unknown whether AcidPour has been used in any real-world attacks or who its potential targets might be.

AcidPour is similar to AcidRain in several ways, such as targeting specific directories and paths typical for embedded Linux distributions. However, the codebase of the two wipers overlaps by only 30%. This suggests either significant evolution of the malware or a different origin altogether. The expert believes that another group of attackers may have copied some functions from AcidRain.

The data destruction logic used by AcidPour is based on IOCTL (input/output control) and is similar to the dstr plugin for VPNFilter and AcidRain itself. For example, the wiper contains references to /dev/ubiXX, indicating a clear focus on embedded systems that use flash memory.

There are also references to dev/dm-XX and /dev/dm-XX, which are related to virtual block devices associated with Logical Volume Management (LVM). For instance, NAS devices from QNAP and Synology use LVM to manage RAID arrays.

All of this suggests that AcidPour may be targeting a broader range of devices or systems than its predecessor, which attacked only the specific MIPS architecture.

SentinelLabs analysts have shared the malware hash, and a sample can be found on VirusTotal. They are calling on the cybersecurity community to participate in a joint analysis, as the targets and scope of AcidPour’s distribution remain unclear at this time.

Leave a Reply