Keypoints
- SentinelLabs discovered AcidPour, an x86 ELF wiper confirmed to be a variant of AcidRain with expanded capabilities.
- AcidPour adds support for /dev/ubiXX (UBI) and /dev/dm-XX (Device Mapper), allowing it to target flash wear-leveling layers and LVM/RAID logical devices.
- The malware uses the same IOCTL-based device wiping mechanism observed in AcidRain and the VPNFilter ‘dstr’ plugin, plus an alternate buffer-based overwrite method that writes repeated patterns.
- AcidPour performs recursive directory wiping, overwrites its on-disk binary (self-delete), and invokes a reboot mechanism identical to AcidRain.
- The binary is a statically linked, stripped ELF for Intel 80386, implemented in C using direct syscalls and inline assembly to avoid imports.
- Sample IOCs include hashes and a temporary filename; domains and an IP tied to a claimed GRU-affiliated persona (SolntsepekZ) were observed in related activity.
- Attribution links AcidPour to prior AcidRain activity and to UAC-0165 / Sandworm-associated clusters, though direct use against specific ISPs remains unconfirmed.
MITRE Techniques
- [T1485] Data Destruction – Overwrites block devices and directories to render storage unusable (“…overwriting the device repeatedly with the contents of a 256kb buffer.”).
- [T1490] Inhibit System Recovery – Wipes devices and then essential directories to prevent restoration (“…wiping each, before wiping essential directories.”).
- [T1529] System Shutdown/Reboot – Triggers a reboot as part of the destructive sequence (“…use of the same reboot mechanism”).
- [T1070.004] Indicator Removal on Host: File Deletion – Implements self-deletion by overwriting its binary on disk with a byte sequence (“…overwrites it with a sequence of bytes ranging from 0-255 followed by a polite Ok.”).
- [T1027] Obfuscated Files or Information – Uses direct syscalls and inline assembly instead of libraries to reduce dependency artifacts and hinder analysis (“…programmed in C without relying on statically-compiled libraries or imports. Most functionality is implemented via direct syscalls, many called through the use of inline assembly and opcodes.”).
Indicators of Compromise
- [File Hashes] Sample identifiers – SHA256: 6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728, MD5: 1bde1e4ecc8a85cffef1cd4e5379aa44 (single sample reported).
- [Filename] Temporary filename – ‘tmphluyl8zn’ (reported filename in submission metadata).
- [File Properties] Binary context – ELF 32-bit LSB executable, Intel 80386, statically linked, stripped, size 17,388 bytes.
- [Domains] Actor-associated domains – solntsepek[.]com, solntsepek[.]info (domains linked to the SolntsepekZ persona and related hosting).
- [IP] Hosting IP – 185.61.137.155 (BlazingFast Hosting in Kiev associated with solntsepek domains).
AcidPour is a compact, statically linked ELF (Intel 80386) x86 binary that implements destructive functionality primarily through direct syscalls and inline assembly rather than relying on library imports. On execution it immediately maps and overwrites its own file (writing byte values 0–255 then “Ok”) to self-delete, then proceeds to recursively enumerate and wipe device paths and filesystem directories using multiple device-level techniques. The sample enumerates standard block and embedded device paths (e.g., /dev/sd*, /dev/mtd*, /dev/mmcblk*, /dev/loop*) and extends AcidRain’s coverage by adding /dev/ubiXX (UBI volumes atop MTD) and /dev/dm-XX (Device Mapper logical devices), bringing UBI-managed flash and LVM/RAID-backed storage into scope.
For raw device destruction AcidPour reuses an IOCTL-based wiping routine previously seen in AcidRain and the VPNFilter ‘dstr’ plugin, and also contains an alternate mechanism that fills a buffer with 0xFF and decrements values to overwrite targets; device-specific logic chooses the appropriate method and repeatedly writes a 256KB buffer for some devices. The wiper also replicates AcidRain’s reboot mechanism and performs recursive directory wiping to remove files after device-level corruption, intentionally inhibiting recovery.
From an analysis standpoint the binary’s stripped, statically linked nature, use of inline opcodes, and reliance on syscalls complicate automated cross-architecture comparison with MIPS AcidRain builds (automated similarity <30%), but clear code reuse exists in reboot logic, recursive directory traversal, and the IOCTL-based device wiping routines. These technical traits, combined with observed hashes, filename, and actor-linked domains and IPs, frame AcidPour as a more capable successor aimed at embedded Linux and larger storage targets like NAS/RAID/LVM and embedded flash-based devices.
Read more: https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/