SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 40887c2430 be03010000 448bc6 33d2 488d4c2431 e8???????? 4088bc2450020000 }
            // n = 7, score = 400
            //   40887c2430           | inc                 ecx
            //   be03010000           | push                esp
            //   448bc6               | inc                 ecx
            //   33d2                 | push                esi
            //   488d4c2431           | inc                 ecx
            //   e8????????           |                     
            //   4088bc2450020000     | push                edi

        $sequence_1 = { 8bce e8???????? 4c8d9c2420040000 498b5b10 498b6b18 498b7320 }
            // n = 6, score = 400
            //   8bce                 | cmp                 edx, 0xa
            //   e8????????           |                     
            //   4c8d9c2420040000     | jg                  0x10b2
            //   498b5b10             | inc                 ecx
            //   498b6b18             | movzx               ebx, word ptr [ecx + 0xaea]
            //   498b7320             | sub                 eax, ebx

        $sequence_2 = { 6639460c 751b 8b4624 83c028 3bc5 }
            // n = 5, score = 400
            //   6639460c             | arpl                word ptr [eax + 0x3c], ax
            //   751b                 | dec                 esp
            //   8b4624               | add                 eax, eax
            //   83c028               | inc                 ecx
            //   3bc5                 | mov                 eax, 0x150

        $sequence_3 = { 25ff0f0000 4c63c8 4d03cf 85c9 7431 ffc9 }
            // n = 6, score = 400
            //   25ff0f0000           | inc                 ebp
            //   4c63c8               | mov                 ecx, edi
            //   4d03cf               | inc                 ecx
            //   85c9                 | mov                 edx, edi
            //   7431                 | dec                 eax
            //   ffc9                 | mov                 ecx, esi

        $sequence_4 = { 817e0800000006 0f822b010000 817e0800000206 0f82ee000000 488b4e78 }
            // n = 5, score = 400
            //   817e0800000006       | dec                 eax
            //   0f822b010000         | mov                 ebx, dword ptr [esp + 0x30]
            //   817e0800000206       | dec                 eax
            //   0f82ee000000         | mov                 esi, dword ptr [esp + 0x38]
            //   488b4e78             | inc                 ebp

        $sequence_5 = { 6683790440 756a 0fb6835c010000 83f803 743e 83f804 7426 }
            // n = 7, score = 400
            //   6683790440           | xorps               xmm0, xmm0
            //   756a                 | movdqu              xmmword ptr [esp + 0x50], xmm0
            //   0fb6835c010000       | dec                 eax
            //   83f803               | mov                 dword ptr [esp + 0x60], ebx
            //   743e                 | mov                 dword ptr [esp + 0x4c], esi
            //   83f804               | dec                 esp
            //   7426                 | mov                 dword ptr [esp + 0x50], esi

        $sequence_6 = { 4d85e4 0f844f010000 4c8b6920 4139bd94000000 0f842d010000 }
            // n = 5, score = 400
            //   4d85e4               | dec                 eax
            //   0f844f010000         | add                 ecx, dword ptr [esp + 0x180]
            //   4c8b6920             | dec                 eax
            //   4139bd94000000       | arpl                word ptr [ecx], ax
            //   0f842d010000         | dec                 eax

        $sequence_7 = { 44896f18 83671c00 83672000 83672400 44087728 8a4728 24fd }
            // n = 7, score = 400
            //   44896f18             | je                  0x1f09
            //   83671c00             | dec                 eax
            //   83672000             | add                 edi, 2
            //   83672400             | dec                 eax
            //   44087728             | mov                 ecx, edi
            //   8a4728               | dec                 eax
            //   24fd                 | mov                 edi, eax

        $sequence_8 = { 66428944a102 8b4d8c e9???????? 85db 741d 402a7d88 }
            // n = 6, score = 400
            //   66428944a102         | mov                 edi, eax
            //   8b4d8c               | dec                 eax
            //   e9????????           |                     
            //   85db                 | mov                 dword ptr [esp + 0x38], eax
            //   741d                 | dec                 esp
            //   402a7d88             | lea                 eax, [esp + 0x50]

        $sequence_9 = { ffc1 66015445b8 894d8c 7519 413bf8 }
            // n = 5, score = 400
            //   ffc1                 | test                eax, eax
            //   66015445b8           | jne                 0xd4a
            //   894d8c               | dec                 eax
            //   7519                 | lea                 ecx, [esp + 0x2e0]
            //   413bf8               | mov                 ebx, eax

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules