On March 15th, 2022, Virustotal received a suspicious upload which was a MIPS ELF file with the name ‘ukrop’. Researchers at SentinelOne suspected this as a short form of “Ukraine Operations”. But there were also other explanations for it as it was the short form of Ukraine Association of Patriots or a Russian ethnic for Ukrainians “Укроп”.
There was a suspicion that this malware was the one used during the Viasat case. However, SentinelOne went through the malware and provided a full report about its functionality. Development and possible overlaps.
This malware is a Wiper that will erase all the data in a targeted system. The analysis stated that this malware uses brute force technique which denotes that the attackers did not know about the particular firmware configurations. If the malware is run as root, it initiates a recursive overwrite and deletion of non-standard files in the machine.
After this, it makes an attempt to delete the files present in the following device location.
|A generic block device
|Flash memory (common in routers and IoT devices)
|Another potential way of accessing flash memory
|The device file for flash memory that supports fileops
|For SD/MMC cards
|Another potential way of accessing SD/MMC cards
|Virtual block devices
The malware performs a sophisticated attack after this. It iterates all possible device file identifiers. If the device was /dev/mtd* device file, the malware overwrites it with 0x40000 bytes of data. If the device was something other, it uses IOCTLS like MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB to wipe it. To ensure the deletion was made, it uses fsync syscall.
If the overwriting takes place, the malware copies from a memory region which was a 4-byte array starting from 0xffffffff and decreases at each index.
The code used for wiping is given in the below image.
Once all the processes of the malware are executed, it initiates a reboot of the device.
AcidRain has similarities between VPNFilter but is different. They both are MIPS ELF libraries. There is also a possibility that they might be using the same compiler.
A Complete Analysis, similarities, and other features of the malware were published by SentinelOne.