AcidRain Malware

Another data wiper malware leveraged in attacks against Ukrainian targets has been uncovered by cybersecurity researchers. Named AcidRain, the threat was deployed as part of a harmful attack aimed at disrupting the satellite management modems. The attack took place on February 24, 2022, and targeted the KA-SAT satellite broadband service by wiping the data of SATCOM modems and rendering them unusable.

The malware threat is designed to brute-force its way into the devices and then wipe every single file it finds on the breached systems. Once deployed, AcidRain goes through the entire filesystem of the infected modem. In addition, it can wipe flash memories, SD/MMC cards, and any virtual block devices. It tries to achieve its nefarious goals by using all possible devices it identifies. The detected files are destroyed by having their contents up to 0x40000 bytes of data overwritten. AcidRain also utilizes the IOCTL (input/output control) system calls MEMGETINFO, MEMUNLOCK, MEMERASE and MEMWRITEOOB. After wiping the files, the malware will reboot the device, leaving it in an unusable state.

The researchers who discovered and analyzed the threatening operations described it as a supply-chain attack that delivered a wiper designed specifically to wipe modems and routers. However, Viasat, the maker of the targeted devices, pushed back against that conclusion by stating that they have found no evidence of supply-chain interference. The company still acknowledged that the destructive executable of the AcidRain malware was deployed on the devices using a legitimate management command.