Specialists at Palo Alto Networks revealed a rare AcidBox malware, which is used for targeted attacks on some organizations. To do this, AcidBox used an exploit that was previously associated with the Russian-speaking hacker group Turla (aka Waterbug, Venomous Bear, and KRYPTON).
In particular, Turla is known for being the first hack group to abuse a third-party device driver to disable Driver Signature Enforcement (DSE), a security feature introduced in Windows Vista to prevent unsigned drivers from loading.Problem CVE-2008-3431, which exploited Turla, used the signed VirtualBox driver (VBoxDrv.sys v1.6.2) to disable DSE and load unsigned payload drivers. However, the group’s exploit, in fact, exploited two vulnerabilities, while only one of them was fixed. There was a second version of the exploit, focused on using only this unknown vulnerability”, – told Palo Alto Networks experts.
Analysts at Palo Alto Networks also reported that since 2017, unknown hackers, apparently not related to Turla, have been using the same fixed problem to exploit new versions of the VBoxDrv.sys driver.
So, in 2017, attackers targeted at least two organizations using the driver version 2.2.0 (probably because this version was not previously considered vulnerable). Thus, the attackers deployed AcidBox, a previously unknown to the experts family of malware.
AcidBox uses some form of steganography and hides confidential data in icons, abuses the SSP interface to securely fix itself in the system, stores its payload in the Windows registry and does not show any obvious parallels with another well-known malware (although it has little resemblance to Remsec).
Since no other victims were found, we believe that this is a very rare malware that is used only in targeted attacks”, — write the experts.
Analysts emphasize that AcidBox is definitely part of a large set of tools, probably belonging to some APT, and can still be used, considering that the hack group itself is still active. Together with other information security experts, Palo Alto Networks researchers were able to identify three usermode samples of malware (64-bit DLLs that load the main worker’s from the Windows registry) and kernelmode payload driver (which is built into the main worker’s).
All samples were compiled on May 9, 2017 and most likely were used as part of a malicious campaign in the same year. Newer samples could not be found, and it is not yet clear whether this hack group is currently active.
Unfortunately, Palo Alto Networks experts could not identify the toolkit. Nevertheless, they shared two YARA rules for detecting this threat, as well as a Python script that helps to extract confidential data from the icons.
Recall that earlier we talked about the fact that Palo Alto Networks experts have discovered a new version of the Mirai malware, famous also aka Mukashi, which scans the network, searches for and attacks Zyxel devices.
