Data-Wiping Malware

A new variant of a data wiping malware called AcidRain has been detected in the wild that's specifically designed for targeting Linux x86 devices.

The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne's Juan Andres Guerrero-Saade said in a series of posts on X.

"The new variant [...] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/strings, it's a largely different codebase," Guerrero-Saade noted.


AcidRain first came to light in the early days of the Russo-Ukrainian war, with the malware deployed against KA-SAT modems from U.S. satellite company Viasat.

An ELF binary compiled for MIPS architectures, it is capable of wiping the filesystem and different known storage device files by recursively iterating over common directories for most Linux distributions.

The cyber attack was subsequently attributed to Russia by the Five Eyes nations, along with Ukraine and the European Union.

AcidPour, as the new variant is called, is designed to erase content from RAID arrays and Unsorted Block Image (UBI) file systems through the addition of file paths like "/dev/dm-XX" and "/dev/ubiXX," respectively.

It's currently not clear who the intended victims are, although SentinelOne said it notified Ukrainian agencies. The exact scale of the attacks is presently unknown.

The discovery once again underscores the use of wiper malware to cripple targets, even as threat actors are diversifying their attack methods for maximum impact.

"This variant is a more powerful AcidRain variant, covering more hardware and operating system types," warned Rob Joyce, director of cybersecurity at the U.S. National Security Agency.


The development also comes as the AhnLab Security Intelligence Center (ASEC) revealed that threat actors are launching brute-force and dictionary attacks against poorly secured Linux systems to create backdoor accounts for persistent access.

"Attackers may employ various attack methods for adding new accounts, including changing the password of the existing root account and registering an SSH key to log in without entering a password," ASEC said.

Such access is then abused to install various malware strains such as ransomware, cryptocurrency miners, and DDoS bots such as Tsunami, ShellBot, and the KONO DIO DA miner.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.