SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20230715 | Detects win.acidbox.)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.acidbox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 44887558 c1e808 488d5558 41b804000000 884559 418bc6 41c1ee18 }
            // n = 7, score = 400
            //   44887558             | inc                 ecx
            //   c1e808               | pop                 edi
            //   488d5558             | dec                 ecx
            //   41b804000000         | mov                 ecx, esi
            //   884559               | mov                 eax, edi
            //   418bc6               | dec                 esp
            //   41c1ee18             | lea                 ebx, [esp + 0x780]

        $sequence_1 = { 488bcb e8???????? 8bf8 89442430 85c0 0f857d020000 }
            // n = 6, score = 400
            //   488bcb               | cmp                 ecx, eax
            //   e8????????           |                     
            //   8bf8                 | je                  0x844
            //   89442430             | dec                 eax
            //   85c0                 | lea                 eax, [0xfffef881]
            //   0f857d020000         | shr                 eax, 0x10

        $sequence_2 = { 85c0 0f85d5010000 498bbe28010000 4889bc24b0000000 498b8600010000 4d8bae08010000 }
            // n = 6, score = 400
            //   85c0                 | inc                 ecx
            //   0f85d5010000         | sub                 cl, byte ptr [ecx + 0x1714]
            //   498bbe28010000       | inc                 cx
            //   4889bc24b0000000     | shr                 eax, cl
            //   498b8600010000       | inc                 ecx
            //   4d8bae08010000       | add                 dword ptr [ecx + 0x1714], -9

        $sequence_3 = { 488d8c2450020000 ff15???????? 488bf8 4889442428 488bc8 48f7d9 }
            // n = 6, score = 400
            //   488d8c2450020000     | mov                 al, 5
            //   ff15????????         |                     
            //   488bf8               | inc                 ecx
            //   4889442428           | mov                 edx, edi
            //   488bc8               | dec                 eax
            //   48f7d9               | lea                 eax, [ebp + 0x40]

        $sequence_4 = { 4803fa 488d8424c0000000 4889442420 448b4b48 4c8b4340 ba20000000 }
            // n = 6, score = 400
            //   4803fa               | dec                 ecx
            //   488d8424c0000000     | mov                 eax, dword ptr [esi + 0x20]
            //   4889442420           | mov                 eax, dword ptr [eax + 0x28]
            //   448b4b48             | dec                 ecx
            //   4c8b4340             | add                 eax, dword ptr [esi + 8]
            //   ba20000000           | test                eax, eax

        $sequence_5 = { 4d85c0 7444 4c8b4c2440 4d85c9 743a 8b5c2448 }
            // n = 6, score = 400
            //   4d85c0               | mov                 ebp, dword ptr [esp + 0x30]
            //   7444                 | dec                 eax
            //   4c8b4c2440           | mov                 esi, dword ptr [esp + 0x38]
            //   4d85c9               | dec                 eax
            //   743a                 | mov                 edi, dword ptr [esp + 0x40]
            //   8b5c2448             | inc                 esp

        $sequence_6 = { 4183fd06 7275 4181fa02010000 726c 4d895c2410 4589542418 4d890c24 }
            // n = 7, score = 400
            //   4183fd06             | test                ebp, ebp
            //   7275                 | dec                 eax
            //   4181fa02010000       | lea                 ecx, [esp + 0x2a4]
            //   726c                 | and                 dword ptr [esp + 0x5c], esi
            //   4d895c2410           | and                 dword ptr [esp + 0x40], esi
            //   4589542418           | inc                 ebp
            //   4d890c24             | xor                 esp, esp

        $sequence_7 = { c1e903 4181c501010000 8bc1 45896f18 482bf8 8bc1 c1e003 }
            // n = 7, score = 400
            //   c1e903               | xor                 edx, edx
            //   4181c501010000       | dec                 eax
            //   8bc1                 | mov                 dword ptr [esp + 0x28], esi
            //   45896f18             | dec                 eax
            //   482bf8               | mov                 dword ptr [esp + 0x20], eax
            //   8bc1                 | inc                 ecx
            //   c1e003               | call                ebp

        $sequence_8 = { 483bfe 741e 4885ff 7419 488b4f10 488b3f e8???????? }
            // n = 7, score = 400
            //   483bfe               | mov                 edi, edx
            //   741e                 | inc                 ebp
            //   4885ff               | mov                 eax, ebp
            //   7419                 | inc                 ecx
            //   488b4f10             | mov                 ecx, ebp
            //   488b3f               | inc                 esp
            //   e8????????           |                     

        $sequence_9 = { 0f848b000000 4d85c9 0f8482000000 4c8b742460 4d85f6 7478 }
            // n = 6, score = 400
            //   0f848b000000         | mov                 byte ptr [ebp - 7], al
            //   4d85c9               | dec                 ecx
            //   0f8482000000         | mov                 eax, ecx
            //   4c8b742460           | dec                 eax
            //   4d85f6               | shr                 eax, 0x28
            //   7478                 | dec                 ecx

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules