The Viasat operator finally communicated this week on the underside of the cyberattack which affected general public users of the KA-SAT satellite in Europe at the end of February. The Israeli cybersecurity company SentinelLabs in turn returns to the subject to provide additional information. Its researchers have discovered a new malware which they have dubbed AcidRain.
SentinelLabs did not understand how legitimate commands to modems sent by the attacker could have rendered the boxes unusable without permanently blocking them. His hypothesis is that malware has overwritten key data in the modem’s flash memory, rendering it unusable and requiring a reflash or replacement.
His team spotted a suspicious upload made on Tuesday, March 15, 2022. It is a file uploaded to VirusTotal from Italy with the name ukrop, which could refer to the acronym of the Ukrainian Association of Patriots or to a Russian insult against Ukrainians. Only official stakeholders in the investigation of the Viasat affair could confirm this.
Also see video:
Similarities with VPNFilter
For SentinelLabs, this type of software remains relatively rare. And even more so if they target routers, modems or connected devices. The best-known case is that of VPNFilter, accused by the FBI and the NSA of being the work of Russia and perhaps even of the Sandworm group.
VPNFilter included an impressive array of features in the form of plug-ins selectively deployed to infected devices. This could range from stealing credentials, monitoring protocols, to erasing and “bricking” devices. However, similarities would exist between the code of VPNFilter and AcidRain. However, the Israeli researchers estimate that of AcidRain is much less sophisticated and would have been more “sloppy”. Basically, AcidRain would do less in lace given its much more radical purpose which remains to erase devices. It could also be reused more easily on other types of targets.
SentinelLabs calls on the research community to explore this avenue.
Source: Sentinel Labs