Palo Alto Networks Specialists revealed targeted attacks on Russian organizations. To do this, the AcidBox malware used an exploit that was previously associated with the Russian-speaking hacker group Turla (aka Waterbug, Venomous Bear, and KRYPTON).
In particular, Turla is known for being the first hack group to abuse a third-party device driver to disable Driver Signature Enforcement (DSE), a security feature introduced in Windows Vista to prevent unsigned drivers from loading.
Problem CVE-2008-3431 run by Turla used the signed VirtualBox driver (VBoxDrv.sys v1.6.2) to deactivate DSE and load unsigned payload drivers. But the group’s exploit, in fact, exploited two vulnerabilities, while only one of them was fixed. There was a second version of the exploit, focused on using only this unknown vulnerability.
Now, analysts at Palo Alto Networks are writing that since 2017, unknown hackers that are clearly unrelated to Turla have been using the same fixed problem to exploit new versions of the VBoxDrv.sys driver.
So, in 2017, attackers attacked at least two Russian organizations using the driver version 2.2.0 (probably because this version was not previously considered vulnerable). Thus, the attackers were deploying a family of malvari previously unknown to experts, which was called AcidBox.
AcidBox uses some form of steganography and hides sensitive data in icons, abuses the SSP interface to securely fix itself in the system, stores its payload in the Windows registry and does not show any obvious parallels with another well-known malware (although it has little resemblance to Remsec) .
“Since no other victims were found, we believe that this is a very rare malware used only in targeted attacks,” experts write.
Analysts emphasize that AcidBox is definitely part of a large set of tools, probably belonging to some APT, and can still be used, provided that the hack group itself is still active. Together with other information security experts, Palo Alto Networks researchers were able to identify three usermode samples of malvari (64-bit DLLs that load the main worker’s from the Windows registry) and kernelmode payload driver (which is built into the main worker’s).
All samples were compiled on May 9, 2017 and most likely were used as part of a malicious campaign in the same year. Newer samples could not be found, and it is not yet clear whether this hack group is currently active.
Unfortunately, Palo Alto Networks experts were unable to identify the toolkit, of which AcidBox is a part, but still shared two YARA rules for detecting this threat, as well as a Python script to help you extract sensitive data from the icons.