SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20220516 | Detects win.acidbox.)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.acidbox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c740a8488b5c30 c740acfffff0ff c740b0488d0daa c740b4ffffff00 c740b8bbccdde8 c740bc000000ff c740c0aabbccdd }
            // n = 7, score = 400
            //   c740a8488b5c30       | dec                 esp
            //   c740acfffff0ff       | imul                esi, eax, 0x128
            //   c740b0488d0daa       | inc                 ecx
            //   c740b4ffffff00       | movzx               eax, word ptr [esi + edi + 0x2e]
            //   c740b8bbccdde8       | dec                 ecx
            //   c740bc000000ff       | add                 eax, esi
            //   c740c0aabbccdd       | je                  0xca8

        $sequence_1 = { 44017328 488bce e8???????? 8b4b2c }
            // n = 4, score = 400
            //   44017328             | sub                 esp, 0xc0
            //   488bce               | dec                 ecx
            //   e8????????           |                     
            //   8b4b2c               | mov                 eax, ecx

        $sequence_2 = { 49894398 49897ba8 33c9 49894bb0 49894bb8 49894bc0 }
            // n = 6, score = 400
            //   49894398             | inc                 ecx
            //   49897ba8             | add                 ecx, esi
            //   33c9                 | inc                 esp
            //   49894bb0             | imul                eax, ecx, 0x1f
            //   49894bb8             | mov                 ecx, dword ptr [ebx + 0x28]
            //   49894bc0             | inc                 ecx

        $sequence_3 = { 8bc3 442beb 4c03c8 295f48 4c894de0 395748 0f852f110000 }
            // n = 7, score = 400
            //   8bc3                 | dec                 eax
            //   442beb               | test                ecx, ecx
            //   4c03c8               | je                  0x1e62
            //   295f48               | dec                 eax
            //   4c894de0             | test                edx, edx
            //   395748               | push                edi
            //   0f852f110000         | dec                 eax

        $sequence_4 = { e8???????? 8bd8 89442420 85c0 7562 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   8bd8                 | mov                 dword ptr [esp + 0x28], eax
            //   89442420             | dec                 eax
            //   85c0                 | mov                 ecx, eax
            //   7562                 | dec                 eax

        $sequence_5 = { 77b9 84c0 0f84cc000000 a8f0 0f85c4000000 448bd0 0fb6c8 }
            // n = 7, score = 400
            //   77b9                 | dec                 ecx
            //   84c0                 | mov                 ecx, esi
            //   0f84cc000000         | dec                 eax
            //   a8f0                 | mov                 dword ptr [esp + 0x20], eax
            //   0f85c4000000         | test                eax, eax
            //   448bd0               | jne                 0x100b
            //   0fb6c8               | inc                 esp

        $sequence_6 = { 4885ff 0f848f010000 4c8d8424a0000000 488d9424a8000000 33c9 ffd0 }
            // n = 6, score = 400
            //   4885ff               | sete                al
            //   0f848f010000         | mov                 dword ptr [ebp - 0x50], eax
            //   4c8d8424a0000000     | test                eax, eax
            //   488d9424a8000000     | jne                 0x204f
            //   33c9                 | dec                 eax
            //   ffd0                 | lea                 eax, [ebp + 0x598]

        $sequence_7 = { c744245c0000ffff c74424600fba2dcc c7442464ffffff00 c7442468cccccc00 c744246c000000ff c74424700f93c0cc c7442474ffffff00 }
            // n = 7, score = 400
            //   c744245c0000ffff     | inc                 ecx
            //   c74424600fba2dcc     | cmp                 ebx, 1
            //   c7442464ffffff00     | jbe                 0x1cbb
            //   c7442468cccccc00     | je                  0x1d2b
            //   c744246c000000ff     | inc                 esp
            //   c74424700f93c0cc     | cmp                 edx, edx
            //   c7442474ffffff00     | jae                 0x1d1e

        $sequence_8 = { 4883614000 488d05d1410000 48894130 4883793800 750b }
            // n = 5, score = 400
            //   4883614000           | dec                 eax
            //   488d05d1410000       | lea                 eax, [0xfffec429]
            //   48894130             | jmp                 0xbb6
            //   4883793800           | dec                 eax
            //   750b                 | lea                 eax, [0xffff4ff6]

        $sequence_9 = { c644244c6f c644245972 66c744243d6e65 c744243961636869 c64424384d c744244075696400 }
            // n = 6, score = 400
            //   c644244c6f           | mov                 ecx, dword ptr [ebp - 0x20]
            //   c644245972           | inc                 esp
            //   66c744243d6e65       | mov                 byte ptr [esp + 0x30], bh
            //   c744243961636869     | inc                 esp
            //   c64424384d           | mov                 eax, edi
            //   c744244075696400     | xor                 edx, edx

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules