SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20210616 | Detects win.acidbox.)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.acidbox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d83bc000000 f6c101 7406 66443930 754d 48ffc2 4903c4 }
            // n = 7, score = 400
            //   488d83bc000000       | dec                 eax
            //   f6c101               | lea                 ebx, dword ptr [esp + 0x20]
            //   7406                 | dec                 eax
            //   66443930             | cmp                 esi, ebp
            //   754d                 | je                  0x5b1
            //   48ffc2               | dec                 eax
            //   4903c4               | mov                 edx, ebp

        $sequence_1 = { 488b7b28 4885ff 7435 488b5738 4885d2 7412 837f280f }
            // n = 7, score = 400
            //   488b7b28             | jne                 0x884
            //   4885ff               | inc                 esp
            //   7435                 | mov                 esi, eax
            //   488b5738             | jae                 0x8a2
            //   4885d2               | dec                 eax
            //   7412                 | cmp                 dword ptr [eax + 0xa8], ebx
            //   837f280f             | je                  0x86e

        $sequence_2 = { ffc9 7408 41b9090a00a0 eb69 813bbabab00e eb16 813bdeadbafa }
            // n = 7, score = 400
            //   ffc9                 | inc                 ecx
            //   7408                 | push                esi
            //   41b9090a00a0         | inc                 ecx
            //   eb69                 | push                edi
            //   813bbabab00e         | xor                 ebp, ebp
            //   eb16                 | dec                 ebp
            //   813bdeadbafa         | mov                 edi, eax

        $sequence_3 = { 4533c9 448bc3 33c9 ff15???????? 4885c0 }
            // n = 5, score = 400
            //   4533c9               | jne                 0x1ced
            //   448bc3               | or                  ebx, 0x40
            //   33c9                 | test                eax, eax
            //   ff15????????         |                     
            //   4885c0               | jne                 0x1dfe

        $sequence_4 = { eb30 488b03 480598000000 48894008 488900 488b03 }
            // n = 6, score = 400
            //   eb30                 | inc                 esp
            //   488b03               | test                byte ptr [eax + 6], ch
            //   480598000000         | je                  0x117
            //   48894008             | dec                 eax
            //   488900               | mov                 ecx, dword ptr [esp + 0x4c0]
            //   488b03               | dec                 eax

        $sequence_5 = { 01839c000000 8d41fe 8983a0000000 4401b394000000 448b9394000000 443bd6 774e }
            // n = 7, score = 400
            //   01839c000000         | dec                 eax
            //   8d41fe               | mov                 dword ptr [eax + 8], eax
            //   8983a0000000         | dec                 eax
            //   4401b394000000       | mov                 dword ptr [eax], eax
            //   448b9394000000       | dec                 eax
            //   443bd6               | mov                 ecx, dword ptr [ebx]
            //   774e                 | dec                 eax

        $sequence_6 = { 44387c08ff 0f85af000000 418a00 3801 0f85a4000000 418a4001 384101 }
            // n = 7, score = 400
            //   44387c08ff           | mov                 ebp, 0x10
            //   0f85af000000         | dec                 eax
            //   418a00               | lea                 eax, dword ptr [esp + 0x150]
            //   3801                 | dec                 eax
            //   0f85a4000000         | mov                 dword ptr [esp + 0x20], eax
            //   418a4001             | inc                 ebp
            //   384101               | mov                 ecx, esp

        $sequence_7 = { 754b 4803ce 0fb601 3bd0 7541 4803ce 0fb601 }
            // n = 7, score = 400
            //   754b                 | dec                 eax
            //   4803ce               | mov                 ebx, eax
            //   0fb601               | mov                 edi, 0x80040302
            //   3bd0                 | test                edi, edi
            //   7541                 | je                  0x1768
            //   4803ce               | dec                 eax
            //   0fb601               | test                esi, esi

        $sequence_8 = { 89838c000000 4585c0 745e 3b8ba8000000 7356 8b8b94000000 8b4344 }
            // n = 7, score = 400
            //   89838c000000         | mov                 edx, dword ptr [ebx + 0xe]
            //   4585c0               | mov                 dword ptr [esp + 0x30], eax
            //   745e                 | and                 dword ptr [esp + 0x28], 0
            //   3b8ba8000000         | jmp                 0x95a
            //   7356                 | movzx               eax, word ptr [edi + 0xc]
            //   8b8b94000000         | inc                 esp
            //   8b4344               | mov                 ecx, dword ptr [edi + 8]

        $sequence_9 = { 7526 b920000000 488d833c010000 66443930 7514 48ffc1 4903c4 }
            // n = 7, score = 400
            //   7526                 | dec                 eax
            //   b920000000           | lea                 ecx, dword ptr [esp + 0x180]
            //   488d833c010000       | call                eax
            //   66443930             | mov                 ebx, 0xa000090d
            //   7514                 | dec                 eax
            //   48ffc1               | lea                 edx, dword ptr [esp + 0x48]
            //   4903c4               | dec                 eax

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules