Palo Alto Networks researchers analyzed a new malware, dubbed AcidBox, that was employed in targeted attacks and that leverages an exploit previously associated with the Russian-linked Turla APT group.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
The Turla group was the first APT that has abused a third-party device driver to disable the Windows Driver Signature Enforcement (DSE) implemented to prevent the loading of unsigned drivers.
The exploit used by Turla, referred to as CVE-2008-3431, abuses two vulnerabilities, but only one was ever fixed in the aforementioned CVE.
The other vulnerability was chained by Turla operators with the CVE-2008-3431 flaw in the first version of their exploit.
A later second version of the exploit targets the unknown vulnerability only that is also being exploited by an unknown threat actor that appears to be unrelated to Turla. The vulnerability allows attackers to exploit newer versions of the VirtualBox VBoxDrv.sys driver as well.
“In February 2019, Unit 42 found that a yet-to-be-known threat actor — unbeknownst to the infosec community — discovered that the second unpatched vulnerability can not only exploit VirtualBox VBoxDrv.sys driver v1.6.2, but also all other versions up to v3.0.0. Furthermore, our research shows that this unknown actor exploited VirtualBox driver version 2.2.0 to target at least two different Russian organizations in 2017, which we are revealing for the first time.” reads the analysis published by Palo Alto Networks. “We anticipate this was done because the driver version 2.2.0 wasn’t known to be vulnerable and thus most likely is not on the radar of security companies being exploited.”
The previously unknown threat actor targeted at least two different Russian organizations in 2017 by exploiting version 2.2.0 of the driver. The hackers delivered a previously undetected malware family, tracked as AcidBox.
The researchers believe that the malware was employed only in targeted attacks because it hasn’t found other victims of the threat actors.
Experts believe that the AcidBox malware is part of a bigger toolset used by a sophisticated threat actor.
Experts believe the unknown threat actor is not tied to Turla, collaborating with other security firms, Palo Alto Network identified three user-mode samples of the malware (64-bit DLLs that load the main worker from the Windows registry), and a kernelmode payload drive.
The samples have a compilation timestamp of May 9, 2017, and were likely employed by attackers in attacks in 2017. The experts did not find newer AcidBox samples, they have no information about new operations conducted by the unknown threat actor.
“While AcidBox doesn’t use any fundamentally new methods, it breaks the myth that only VirtualBox VBoxDrv.sys 1.6.2 can be used for Turla’s exploit. Appending sensitive data as an overlay in icon resources, abusing the SSP interface for persistence and injection and payload storage in the Windows registry puts it into the category of interesting malware.” concludes the report.
“The samples we dubbed AcidBox are only part of a bigger toolkit which we, unfortunately, could not identify. However, we provide two Yara rules for detection and threat hunting. “
(SecurityAffairs – hacking, Turla)