Like any other platform, Linux computers are used extensively for servers, cloud environments, and Internet of Things devices, making them a desirable target for hackers. Due to its widespread use and open-source nature, hackers can scan its codes for vulnerabilities. As a result, this creates a large attack surface. SentinelLabs cybersecurity researchers have uncovered a new AcidRain malware strain called “AcidPour,” which has been observed to target Linux systems with x86 architecture.

AcidPour Attacking Linux Systems

A new variant of “AcidPour,” a wiper with capabilities similar to and greater than the infamous “AcidRain” wiper that rendered KA-SAT modems inoperable during Russia's invasion of Ukraine in 2022 and disrupted services across Europe, was discovered on March 16th, 2024, after a suspicious Linux binary uploaded from Ukraine was discovered.

Since the initial research determined there were medium-confidence developmental parallels between AcidRain and the VPNFilter malware from Russia, this is the first confirmed variant of AcidRain that has been found. Since 2022, there have been multiple cyberattacks against Ukraine, but no new AcidRain variants have been detected.

The new AcidPour variation is an x86 ELF malware with enlarged, updated capabilities customized for multiple targets. In contrast, AcidRain was an MIPS-compiled Linux wiper that indiscriminately targeted hardcoded pathways on embedded devices. Automated code comparison between architectures produces a similarity certainty of less than 30 percent.

However, deep examination finds some important similarities: the IOCTL-based wipe method that connects AcidPour to AcidRain and VPNFilter's “dstr” plugin; the reboot mechanism; and the recursive directory wiping logic. Although direct comparison is impossible due to architectural differences, the evidence points to AcidPour as an evolved, specialized variation that amplifies the destructive potential of AcidRain.

Wiping Mechanisms (Source – SentinelLabs)

With UBI and DM support, AcidPour increases AcidRain's ability to target Linux devices. It makes raw access to flash memory for embedded systems—such as handhelds, IoT, networking, and ICS devices—via /dev/ubiXX routes possible. Moreover, it also manages logical volume management for /dev/dm-XX pathways, which allows access to RAID arrays, SANs, and NASes. Devices supported by AcidRain:

AcidRain’s supported devices (Source – SentinelLabs)

AcidPour was coded pragmatically, akin to how CaddyWiper was applied to targets in Ukraine. It is developed in C language and does tasks like direct syscalls without needing external libraries and manipulating strings using inline assembly.

CERT-UA linked this behavior to UAC-0165, a Sandworm APT subgroup that targets infrastructure in Ukraine. Ukraine's SCIP connected GRU-affiliated hacktivist accounts, such as SolntsepekZ, to UAC-0165 in September 2023. These accounts claimed to have made incursions before AcidPour's detection. 

Telegram presence (Source – SentinelLabs)

Telegram and domains such as solntsepek[. ]com (185.61.137.155) are used by SolntsepekZ. Although AcidPour's capabilities suit this disruption commencing on March 13th, indicating connections between this persona and GRU operations, the impact on ISPs such as Triacom is still ongoing. Furthermore, AcidPour exhibits enhanced refinement, technical know-how, and an analytical approach to optimize its impact on critical infrastructure, necessitating continuous observation.