SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33d2 41d3ee 2bf1 4585d2 0f8408010000 418bd6 }
            // n = 6, score = 400
            //   33d2                 | lea                 eax, [edi + 0x548]
            //   41d3ee               | dec                 esp
            //   2bf1                 | lea                 ecx, [edi + 0x80]
            //   4585d2               | xor                 ecx, ecx
            //   0f8408010000         | dec                 ecx
            //   418bd6               | mov                 dword ptr [ecx], eax

        $sequence_1 = { ff5338 4883632800 488b5c2430 488b742438 8bc7 4883c420 }
            // n = 6, score = 400
            //   ff5338               | inc                 ecx
            //   4883632800           | movzx               eax, byte ptr [ecx]
            //   488b5c2430           | inc                 esp
            //   488b742438           | cmp                 edx, eax
            //   8bc7                 | jae                 0x1cef
            //   4883c420             | dec                 esp

        $sequence_2 = { e9???????? 41bf02000000 488d842480010000 4889442420 41b9a0000000 4c8bc2 418d5726 }
            // n = 7, score = 400
            //   e9????????           |                     
            //   41bf02000000         | lea                 edx, [ebx + 1]
            //   488d842480010000     | dec                 eax
            //   4889442420           | lea                 ecx, [esp + 0x30]
            //   41b9a0000000         | mov                 eax, 1
            //   4c8bc2               | inc                 ecx
            //   418d5726             | add                 dword ptr [esi], eax

        $sequence_3 = { b910000000 c1ea10 663bd1 731e c1e808 0fb6c8 }
            // n = 6, score = 400
            //   b910000000           | lea                 ecx, [eax + 5]
            //   c1ea10               | mov                 edx, ecx
            //   663bd1               | lea                 eax, [esi + 4]
            //   731e                 | cmp                 ecx, edx
            //   c1e808               | jge                 0x28
            //   0fb6c8               | dec                 eax

        $sequence_4 = { c744247003a80f75 c7442474ffffffff c7442478094d0fa3 c744247c00ffffff c780d8feffffd3731048 c780dcfeffffffff00ff c780e0feffffffe0cccc }
            // n = 7, score = 400
            //   c744247003a80f75     | mov                 dword ptr [eax - 0x7c], 0xffff0000
            //   c7442474ffffffff     | mov                 dword ptr [eax - 0x78], 0x8bdcffcc
            //   c7442478094d0fa3     | mov                 dword ptr [eax - 0x74], 0xfff0ff00
            //   c744247c00ffffff     | mov                 dword ptr [eax - 0x84], 0xff000000
            //   c780d8feffffd3731048     | mov    dword ptr [eax - 0x80], 0xcccccc89
            //   c780dcfeffffffff00ff     | mov    dword ptr [eax - 0x7c], 0xff
            //   c780e0feffffffe0cccc     | mov    dword ptr [eax - 0x78], 0x74cc8548

        $sequence_5 = { 4885c0 7404 48895010 4c8b4de0 c70705000000 f7471000040000 0f840c010000 }
            // n = 7, score = 400
            //   4885c0               | mov                 ecx, esi
            //   7404                 | mov                 dword ptr [esp + 0x20], eax
            //   48895010             | test                byte ptr [edi + 0x3c], 4
            //   4c8b4de0             | je                  0x18bb
            //   c70705000000         | dec                 eax
            //   f7471000040000       | mov                 edx, edi
            //   0f840c010000         | dec                 ecx

        $sequence_6 = { 0f84bb000000 85d2 0f84b3000000 4d85c0 0f84aa000000 488d5008 e8???????? }
            // n = 7, score = 400
            //   0f84bb000000         | mov                 dword ptr [eax - 0x718], ebx
            //   85d2                 | xor                 edx, edx
            //   0f84b3000000         | inc                 ecx
            //   4d85c0               | mov                 eax, 0x6f8
            //   0f84aa000000         | dec                 eax
            //   488d5008             | lea                 ecx, [eax - 0x710]
            //   e8????????           |                     

        $sequence_7 = { 4123c4 0bc8 03c9 4585c0 7feb d1e9 66890c96 }
            // n = 7, score = 400
            //   4123c4               | sub                 esp, 0x30
            //   0bc8                 | dec                 eax
            //   03c9                 | mov                 ebx, edx
            //   4585c0               | mov                 edi, ecx
            //   7feb                 | dec                 eax
            //   d1e9                 | and                 dword ptr [eax + 0x18], 0
            //   66890c96             | and                 dword ptr [eax + 0x10], 0

        $sequence_8 = { 8b432c eb54 2b7b34 8b4b34 488bd6 3bfd 0f47fd }
            // n = 7, score = 400
            //   8b432c               | dec                 ecx
            //   eb54                 | mov                 edx, edi
            //   2b7b34               | mov                 eax, edx
            //   8b4b34               | jmp                 0x1312
            //   488bd6               | mov                 ecx, dword ptr [edi + 0x18]
            //   3bfd                 | inc                 esp
            //   0f47fd               | mov                 eax, ebx

        $sequence_9 = { 7504 8bc7 eb08 8b4e4c e8???????? 89464c 897b38 }
            // n = 7, score = 400
            //   7504                 | inc                 ecx
            //   8bc7                 | cmp                 dword ptr [esp + 0x38], ebx
            //   eb08                 | jle                 0x339
            //   8b4e4c               | mov                 ecx, dword ptr [edi + 0xc]
            //   e8????????           |                     
            //   89464c               | jge                 0x367
            //   897b38               | dec                 ecx

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules