Researchers spot updated version of malware that hit Viasat | CyberScoop<\/title> <meta name=\"description\" content=\"Russian hackers have added new capabilities to the malware used to disable satellite modems at the outset of the invasion of Ukraine.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/viasat-malware-wiper-acidrain\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers spot updated version of malware that hit Viasat\"> <meta property=\"og:description\" content=\"Russian hackers have added new capabilities to the malware used to disable satellite modems at the outset of the invasion of Ukraine.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/viasat-malware-wiper-acidrain\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-03-18T21:45:02+00:00\"> <meta property=\"article:modified_time\" content=\"2024-03-18T21:45:03+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1710269227g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1709662998g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1710430945g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/79793\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=79793\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fviasat-malware-wiper-acidrain%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fviasat-malware-wiper-acidrain%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-79793 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/viasat-malware-wiper-acidrain\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.864197530864\">\n<div class=\"single-article__header-content\" readability=\"30.167381974249\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> Russian hackers have added new capabilities to the malware used to disable satellite modems at the outset of the invasion of Ukraine. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Close up view of internet equipment and cables in the server room. (standret\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"34.356723429243\"><body readability=\"69.374096196165\"><\/p>\n<p>A new variant of the wiper malware used to disrupt Ukrainian military communications at the onset of the Russian invasion emerged over the weekend, demonstrating what researchers describe as the continuing development of a tool used to carry out one of the most notable cyberattacks of the war. <\/p>\n<p>On Feb. 24, 2022, the night before the Russian government launched its full-scale invasion, Russian-backed hackers <a href=\"https:\/\/cyberscoop.com\/viasat-ka-sat-hack-black-hat\/\">targeted thousands of modems linked to Viasat<\/a>, the U.S.-based satellite and internet communications company relied on by the Ukrainian military. The attack \u2014 <a href=\"https:\/\/cyberscoop.com\/viasat-hack-russia-uk-eu-us-ukraine\/\">attributed<\/a> to the Russian government by the United States and its allies \u2014 relied on a piece of malware that researchers with <a href=\"https:\/\/www.sentinelone.com\/labs\/acidrain-a-modem-wiper-rains-down-on-europe\/\">SentinelLabs dubbed \u201cAcidRain<\/a>.\u201d <\/p>\n<p>On Saturday, a new variant of that malware was uploaded to VirusTotal, a malware information-sharing platform, and spotted by Tom Hegel, principal threat researcher at SentinelOne. <\/p>\n<p>Dubbed \u201cAcidPour\u201d by Hegel and his colleagues, the new variant is concerning because it has new features and could be used as part of a \u201clarger service disruption by Russia\u201d and wipe the contents of not just modems but a range of other devices, Hegel told CyberScoop in an email Monday. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Wiper attacks have been <a href=\"https:\/\/cyberscoop.com\/hacks-leaks-and-wipers-google-analyzes-a-year-of-russian-cyberattacks-on-ukraine\/\">a go-to for Russian attacks<\/a> on Ukrainian government and private-sector targets <a href=\"http:\/\/welivesecurity.com\/2023\/02\/24\/year-wiper-attacks-ukraine\/\">in the past two years<\/a>, and the latest version of the software used to target Viasat shows how Russian hacking groups are evolving their tools. <\/p>\n<p>While the original version was designed to wipe modems and routers, the updated software is far more capable. \u201cNow AcidPour is markedly different on a technical level \u2014 it has different architecture, and new features,\u201d Hegel said. \u201cThis time the attacker can wipe <a href=\"https:\/\/www.techtarget.com\/searchstorage\/definition\/RAID\">RAID arrays<\/a> and <a href=\"https:\/\/www.kernel.org\/doc\/html\/latest\/filesystems\/ubifs.html\">UBI<\/a> \u2013 which could be used for a different level of impact, and potentially even more difficult to prevent and recover from.\u201d<\/p>\n<p>RAID and UBI generally refer to a system\u2019s memory functions, and it appears the updated malware could be used to target memory in embedded devices \u2014 components within larger systems \u2014 including IoT, networking devices and \u201cmaybe some [industrial control systems],\u201d Juan Andres Guerrero-Saade, the associate vice president of the SentinelLabs research unit at SentinelOne, <a href=\"http:\/\/x.com\/juanandres_gs\/status\/1769728620728025294?s=20\">wrote on X<\/a>.<\/p>\n<p>\u201cThe identification of impacting RAID, and Unsorted Block Image File Systems (UBIFS) used by embedded devices \u2014 which of course can span many types of real-world devices \u2014 is noteworthy,\u201d Hegel explained. \u201cEmbedded devices are particularly concerning as they often serve critical needs yet lack simple detection and recovery options if they were to be wiped.\u201d<\/p>\n<p>Hegel said he would expect the malware to be deployed to \u201cmany devices,\u201d including those in data centers, network-attached storage devices or others. \u201cIt should work on them all,\u201d he said. \u201cBig open door for what it could be used on.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>It\u2019s not clear where or if this malware has been deployed, Guerrero-Saade said, and authorities in Ukraine have been notified.<\/p>\n<p>Ukraine\u2019s Computer Emergency Response Team did not immediately respond to a request for comment from CyberScoop on Monday afternoon.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.21875\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/researchers-spot-updated-version-of-malware-that-hit-viasat-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/viasat-malware-wiper-acidrain\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers spot updated version of malware that hit Viasat |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1696,1697,302,270,354,1698],"tags":[1699,1700,306,276,358,1701],"class_list":["post-2742","post","type-post","status-publish","format-standard","hentry","category-acidpour","category-acidrain","category-geopolitics","category-russia","category-ukraine","category-wiper-malware","tag-acidpour","tag-acidrain","tag-geopolitics","tag-russia","tag-ukraine","tag-wiper-malware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/acidpour\/\" rel=\"category tag\">AcidPour<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/acidrain\/\" rel=\"category tag\">AcidRain<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ukraine\/\" rel=\"category tag\">Ukraine<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/wiper-malware\/\" rel=\"category tag\">wiper malware<\/a>","tag_info":"wiper malware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2742"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2742\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2742,"date":"2024-03-18T16:45:02","date_gmt":"2024-03-18T21:45:02","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=79793"},"modified":"2024-03-18T16:45:02","modified_gmt":"2024-03-18T21:45:02","slug":"researchers-spot-updated-version-of-malware-that-hit-viasat","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/03\/18\/researchers-spot-updated-version-of-malware-that-hit-viasat\/","title":{"rendered":"Researchers spot updated version of malware that hit Viasat"},"content":{"rendered":"