Reading Time: 3 Minutes

A new variant of the data-wiping malware known as AcidRain has emerged, specifically tailored to target Linux x86 devices.

Dubbed AcidPour, this variant represents a notable evolution, compiled specifically for Linux x86 devices, as highlighted by Juan Andres Guerrero-Saade from SentinelOne in a series of posts on X.

Unlike its predecessor AcidRain, which initially surfaced during the Russo-Ukrainian war and targeted KA-SAT modems from U.S. satellite company Viasat, AcidPour employs a distinct codebase and focuses on Linux x86 architecture.

Originally an ELF binary compiled for MIPS architectures, AcidRain demonstrated capabilities in wiping filesystems and known storage device files across Linux distributions by recursively scanning common directories.

Attributed to Russia by the Five Eyes nations, along with Ukraine and the European Union, the cyber attack has now evolved with AcidPour, aiming to erase content from RAID arrays and Unsorted Block Image (UBI) file systems by targeting file paths like “/dev/dm-XX” and “/dev/ubiXX,” respectively.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

While the specific targets of AcidPour remain unclear, SentinelOne has notified Ukrainian agencies, although the extent of the attacks is yet to be determined.

This discovery highlights once again the prevalent use of wiper malware to incapacitate targets, as threat actors continue to diversify their attack methods to maximize impact.

Director of Cybersecurity at the U.S. National Security Agency, Rob Joyce, issued a warning regarding AcidPour, labeling it as a more potent variant of AcidRain, with broader hardware and operating system coverage.

Simultaneously, the AhnLab Security Intelligence Center (ASEC) unveiled a concerning trend wherein threat actors are leveraging brute-force and dictionary attacks against inadequately secured Linux systems to establish backdoor accounts for persistent access.