New ‘AcidRain’ malware may be connected to Viasat attack

A post from SentinelOne describes a new wiper malware dubbed “AcidRain” that may be connected to last month’s Viasat attack.

Viasat, a U.S.-based communications company, confirmed via press release Wednesday that it suffered a cyber attack last month. The attack targeted the company’s KA-SAT satellite internet network and affected “several thousand” customers in Ukraine, as well as tens of thousands of fixed broadband customers across Europe.

The internet provider called the attack “multifaceted and deliberate,” and gave some specific attack details in its press release. Viasat did not attribute the attack to a specific threat actor however, nor did it provide complete details regarding how the attack occurred.

A Thursday blog post by SentinelOne’s SentinelLabs discussed the attack as well as a potential malware — and threat actor — behind it. The security vendor described AcidRain as a “malware designed to wipe modems and routers.”

Wipers are a destructive class of malware intended to erase the storage contents of the devices it infects, as opposed to something like ransomware, which typically has an end goal of extortion. SentinelLabs researchers and post authors Juan Andres Guerrero-Saade and Max van Amerongen referred to AcidRain as the seventh wiper used in the ongoing Russian war with Ukraine.

The authors described the wiper’s functionality as “relatively straightforward.”

“AcidRain’s functionality is relatively straightforward and takes a brute-force attempt that possibly signifies that the attackers were either unfamiliar with the particulars of the target firmware or wanted the tool to remain generic and reusable,” the post read. “The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem.”

SentinelOne hypothesized that AcidRain was utilized alongside other potential binaries and scripts through a supply chain attack, mainly due to the functionality of the malware and how it matches with open source intelligence surrounding the attack.

Viasat told SearchSecurity in a statement that it does not…