A new variant of the wiper malware used to disrupt Ukrainian military communications at the onset of the Russian invasion emerged over the weekend, demonstrating what researchers describe as the continuing development of a tool used to carry out one of the most notable cyberattacks of the war.
On Feb. 24, 2022, the night before the Russian government launched its full-scale invasion, Russian-backed hackers targeted thousands of modems linked to Viasat, the U.S.-based satellite and internet communications company relied on by the Ukrainian military. The attack — attributed to the Russian government by the United States and its allies — relied on a piece of malware that researchers with SentinelLabs dubbed “AcidRain.”
On Saturday, a new variant of that malware was uploaded to VirusTotal, a malware information-sharing platform, and spotted by Tom Hegel, principal threat researcher at SentinelOne.
Dubbed “AcidPour” by Hegel and his colleagues, the new variant is concerning because it has new features and could be used as part of a “larger service disruption by Russia” and wipe the contents of not just modems but a range of other devices, Hegel told CyberScoop in an email Monday.
Wiper attacks have been a go-to for Russian attacks on Ukrainian government and private-sector targets in the past two years, and the latest version of the software used to target Viasat shows how Russian hacking groups are evolving their tools.
While the original version was designed to wipe modems and routers, the updated software is far more capable. “Now AcidPour is markedly different on a technical level — it has different architecture, and new features,” Hegel said. “This time the attacker can wipe RAID arrays and UBI – which could be used for a different level of impact, and potentially even more difficult to prevent and recover from.”
RAID and UBI generally refer to a system’s memory functions, and it appears the updated malware could be used to target memory in embedded devices — components within larger systems — including IoT, networking devices and “maybe some [industrial control systems],” Juan Andres Guerrero-Saade, the associate vice president of the SentinelLabs research unit at SentinelOne, wrote on X.
“The identification of impacting RAID, and Unsorted Block Image File Systems (UBIFS) used by embedded devices — which of course can span many types of real-world devices — is noteworthy,” Hegel explained. “Embedded devices are particularly concerning as they often serve critical needs yet lack simple detection and recovery options if they were to be wiped.”
Hegel said he would expect the malware to be deployed to “many devices,” including those in data centers, network-attached storage devices or others. “It should work on them all,” he said. “Big open door for what it could be used on.”
It’s not clear where or if this malware has been deployed, Guerrero-Saade said, and authorities in Ukraine have been notified.
Ukraine’s Computer Emergency Response Team did not immediately respond to a request for comment from CyberScoop on Monday afternoon.
The post Researchers spot updated version of malware that hit Viasat appeared first on CyberScoop.