Related Families: AcidRain
Verticals Targeted: Telecommunications
Executive Summary
AcidPour, a variant of AcidRain, was recently observed targeting entities in Ukraine. The targets likely included telecommunications entities.
Key Takeaways
- AcidPour, which was first observed on March 16th, is a variant of AcidRain.
- AcidPour was likely responsible for a recent disruption of telecommunications entities in Ukraine.
- AcidPour is rewritten in C and was compiled for Linux x86 devices.
- AcidPour has been attributed to the UAC-0165 subgroup of VooDoo Bear/Sandworm.
What is AcidPour?
AcidPour, a variant of AcidRain, was recently observed targeting entities in Ukraine. Sentinel One reported on this activity. Based on the timing of reports of disruption of telecommunications entities in Ukraine, Sentinel One noted AcidPour was potentially used in those attacks.
AcidRain wiper was used in 2022 to target Ukraine’s Viasat KA-SAT. AcidPour, which was first observed on March 16th, is a variant of AcidRain and was compiled for Linux x86 devices. It is written in C and does not use statically compiled libraries or imports.
AcidPour has added additional capabilities and is more destructive than AcidRain. It includes Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic. The changes allow AcidPour to more easily disable embedded devices including networking, IoT, RAIDs, and ICS devices running x86 Linux distros. AcidPour also includes a self delete function.
Due to the differences in architecture targeted, there is less than 30% similarity between AcidRain and AcidPour. Similarities between the two include use of the same reboot mechanism, the logic of recursive directory wiping, and use of the same IOCTL based wiper mechanism. The wiper mechanism also shares similarities with the VPNFilter plugin ‘dstr’. Sentinel One also noted AcidPour’s coding style is reminiscent of that used for CaddyWiper.
At this time, CERT-UA has attributed AcidPour to Russia nexus threat actor group VooDoo Bear, also known as Sandworm. Ukraine’s SSSCIP associated the activity with UAC-0165, a subgroup of Sandworm.
Who is VooDoo Bear?
VooDoo Bear, also known as Sandworm, BlackEnergy, Quedagh, Telebots, and Iron Viking, is a Russia nexus threat actor group that has been active since at least 2011. The group is thought to be affiliated with GRU Unit 74455. VooDoo Bear has a history of attacks targeting ICS and critical infrastructure systems. It was allegedly responsible for the 2015 and 2016 cyberattacks on the Ukrainian power grid, the 2017 NotPetya attacks, and Cyclops Blink.
VooDoo Bear TTPs include but are not limited to phishing, password spraying, masquerading as other threat actors, credential dumping, defacement, wipers, BlackEnergy, GCat, NotPetya, VPNFilter, CHEMISTGAMES, Exaramel, Olympic Destroyer, PassKillDisk, Cyclops Blink, CaddyWiper, ORCSHRED, SOLOSHRED, AWFULSHRED, Industroyer, and Industroyer2. The UAC-0165 subgroup typically targets Ukrainian critical infrastructure, including telecommunications, energy, and government entities.
IOCs
PolySwarm has a sample of AcidPour.
6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728
You can use the following CLI command to search for all AcidPour samples in our portal:
$ polyswarm link list -f AcidPour
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
