AcidRain Wiper Malware hit Routers and Modems, Haults Communication

On March 15th, 2022, Virustotal received a suspicious upload which was a MIPS ELF file with the name ‘ukrop’. Researchers at SentinelOne suspected this as a short form of “Ukraine Operations”. But there were also other explanations for it as it was the short form of Ukraine Association of Patriots or a Russian ethnic for Ukrainians “Укроп”.

There was a suspicion that this malware was the one used during the Viasat case. However, SentinelOne went through the malware and provided a full report about its functionality. Development and possible overlaps.

Technical Analysis

This malware is a Wiper that will erase all the data in a targeted system. The analysis stated that this malware uses brute force technique which denotes that the attackers did not know about the particular firmware configurations. If the malware is run as root, it initiates a recursive overwrite and deletion of non-standard files in the machine. 

After this, it makes an attempt to delete the files present in the following device location.

The malware performs a sophisticated attack after this. It iterates all possible device file identifiers. If the device was /dev/mtd* device file, the malware overwrites it with 0x40000 bytes of data. If the device was something other, it uses IOCTLS like MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB to wipe it. To ensure the deletion was made, it uses fsync syscall. 

If the overwriting takes place, the malware copies from a memory region which was a 4-byte array starting from 0xffffffff and decreases at each index. 

The code used for wiping is given in the below image.

Once all the processes of the malware are executed, it initiates a reboot of the device.

AcidRain has similarities between VPNFilter but is different. They both are MIPS ELF libraries. There is also a possibility that they might be using the same compiler. 

A Complete Analysis, similarities, and other features of the malware were published by SentinelOne.