AcidRain Malware Wipes Viasat Satellite Modems

AcidRain Malware Wipes Viasat Satellite Modems Featured Image
Nikolina Cveticanin Image
Published:

April 06,2022

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

On February 24, AcidRain, a newly discovered data wiper malware, struck the KA-SAT satellite service and wiped SATCOM modems. This attack affected tens of thousands of people across Europe, with Ukrainians being the most affected. 

AcidRain is another data wiper malware designed to wipe and delete every file it can find. SentinelOne researchers who named it AcidRain found that the method of operation makes it easy to redeploy the virus in future attacks. The virus was first spotted on March 15. It was uploaded onto the VirusTotal malware analysis platform from an IP address in Italy. 

When deployed and left undetected by malware removal software, this virus goes through the entire filesystem of the compromised router or modem. It also can wipe out flash memory, virtual block devices, and even SD/MMC cards. The virus is equipped with all possible device identifiers to ensure that no data remains after the attack. After the data is deleted, the virus reboots the device, making it unusable.

SentinelOne researchers Juan Andres Guerrero-Saade and Max van Amerongen explained the virus by saying, “The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem.”

The researchers from SentinelOne said that the virus was created to wipe modems in the KA-SAT cyberattack. In its report, Viasat initially dismissed the KA-SAT incident, stating that it found "no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference." 

Later, it did confirm the hypothesis set by SentinelOne, which claimed that the virus might have been developed explicitly for an operation against Ukraine. Viasat has since shipped almost 30,000 modems to bring customers back online. It also stated that the data destroying malware was deployed on modems using "legitimate management" commands.

The AcidRain virus is the seventh malware deployed in attacks against Ukraine. Six others have also been deployed in similar cyberattacks since the beginning of the year, targeting Ukrainian enterprises and organizations.

There are no comments yet
Leave your comment

Your email address will not be published.*