New AcidRain malware found to be connected to Viasat attack: Sentinel Labs

While investigating the cyber attack, researchers at Sentinel Labs on March 15, found a suspicious upload. This file was named as ‘ukrop’.  Researchers Guerrero-Saade and Van Amerongen said AcidRain is an executable file for MIPS, the hardware architecture for the modems used by Viasat customers. The malware was uploaded to VirusTotal from Italy with the name “ukrop.”

“Possible interpretations include a shorthand for “ukr”aine “op”eration, the acronym for the Ukrainian Association of Patriots, or a Russian ethnic slur for Ukrainians – ‘Укроп’,” said researchers at Sentinel Labs. This findings led researchers to conclude that the attacks originated from Russia.

Viasat has confirmed Sentinel Labs’ hypothesis. In a statement to Bleeping computer, the company said the data destroying malware was deployed on modems using “legitimate management” commands.

“The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report ” a Viasat spokesperson was quoted as saying.

Researchers describe the functionality of the malware as “generic”. Just like any other data wiping malware, it infects the system and various storage devices, destroying all their content and data. Once the wiping is successful, the malware makes booting (starting of the system) non-functional.

It performs an in-depth wipe of the filesystem and various known storage device files before destroying all the data. Once the wiping processes are complete, the device is rebooted and ultimately rendered inoperable.

“AcidRain’s functionality is relatively straightforward and takes a bruteforce attempt that possibly signifies that the attackers were either unfamiliar with the particulars of the target firmware or wanted the tool to remain generic and reusable,” said the researchers.

The researchers also noted that AcidRain malware is quite similar to VPNFilter, a piece of malware that infected more than 500,000 home and small-office modems in the US. Back in 2018, the FBI attributed the modem malware to Russian state threat actors  “Fancy Bear” or APT28 hacking group. More recently, the NSA and CISA tied it to Sandworm, which has been accused of a targeting hundreds of firms and hospitals worldwide and also involved with cyberattacks that took down part of the Ukrainian power grid.

Meanwhile, researchers are not sure whether AcidRain and VPNFilter attacks can be tied to the same hacking group. Researchers noted: “a medium-confidence assessment of non-trivial developmental similarities between their components.”

According to Techcrunch, CISA and the FBI have warned that US satellites could be the next target. Last month, researchers  discovered other variants of ‘data-wiper’ malware attacking Ukrainian systems. This includes WhisperGate, Hermetic Wiper, IsaacWiper, MicroBackdoor and CaddyWiper malware.