Malware

AcidPour Malware Attacking Linux Data Storage Devices To Wipe Out Data

In March 2024, a new variant of the AcidRain wiper malware dubbed “AcidPour” was noticed. It targets Linux data storage devices and permanently erases data from the targeted systems, making them inoperative.

It targets crucial sectors of Linux devices such as SCSI SATA, Memory Technology Devices (MTD), MultiMediaCard Storage, DMSETUP, and Unsorted Block Image devices, overwriting contents and making recovery virtually impossible.

This damaging malware, which is frequently used in coordinated cyberattacks, can severely compromise an organization’s or an individual’s data.

The Malware’s Behaviour

AcidRain is an ELF malware that targets MIPS-based modems and routers. It is linked to the ViaSat KA-SAT communication disruption that occurred during the early stages of the full-scale invasion of Ukraine in 2022. 

Unlike AcidRain, AcidPour has a defense evasion technique where it overwrites itself with a generated sequence of bytes from 0-255 followed by a command line message “Ok”.

This technique serves as a defense evasion for analysts and malware researchers”, Splunk Threat Research Team shared with Cyber Security News.

Overwrites Itself

Using the select() function to put AcidPour’s code to sleep is another intriguing trick researchers noticed.

The timeout option, which indicates the maximum duration (in seconds) that select() should wait for events before returning, can be computed using two alternative parameters from AcidPour.

Time-based evasion technique

Malware Wipes Out Data On The Vulnerable Linux System

The malware systematically erased, overwritten, and wiped multiple directories as part of its destructive payload.

It primarily targets important folders, like “/boot,” which are necessary for rebooting the compromised Linux system. 

Recovery is almost impossible because the files in these targeted directories are replaced with 32KB of randomly generated bytes.

The wiper repeatedly and methodically overwrites files on the designated device paths with 256KB (0x40000) random-generated buffers by employing the file block overwrite technique.

AcidPour’s alternative method is comparable to AcidRain’s, which uses system Input/Output Control (IOCTL) commands to execute malicious actions. 

“System Shutdown/Reboot (T1529)After wiping and deleting files, the compromised host or system will reboot, rendering it unbootable as all critical files have been wiped and deleted”, researchers said.

While AcidPour and AcidRain, or VPNFilter’s ‘dstr’ module, have similar file wiping capabilities, researchers point out that AcidPour is specifically made to destroy or damage compromised host or production networks, whereas VPNFilter—which Cisco Talos first identified—has extra features for data exfiltration and code injection.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

18 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

19 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

19 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

20 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

20 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

20 hours ago