SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb7a 4c63713c 41813c0e50450000 75eb ff15???????? 488bc8 b808000000 }
            // n = 7, score = 400
            //   eb7a                 | dec                 esp
            //   4c63713c             | add                 esp, ecx
            //   41813c0e50450000     | dec                 esp
            //   75eb                 | mov                 dword ptr [esp + 0x30], esp
            //   ff15????????         |                     
            //   488bc8               | inc                 esp
            //   b808000000           | mov                 edi, dword ptr [edi + 0x24]

        $sequence_1 = { 89442434 4821442458 4821442438 4885db 0f84fb030000 4d85ff 0f84f2030000 }
            // n = 7, score = 400
            //   89442434             | jmp                 0x7b0
            //   4821442458           | mov                 edx, 0x4000
            //   4821442438           | test                word ptr [eax + 6], dx
            //   4885db               | je                  0x7a1
            //   0f84fb030000         | lea                 ecx, [ebx + 5]
            //   4d85ff               | test                edi, edi
            //   0f84f2030000         | jne                 0x78f

        $sequence_2 = { 85d2 0f848e000000 ffca 745d ffca 740b 41bf02020380 }
            // n = 7, score = 400
            //   85d2                 | mov                 esi, eax
            //   0f848e000000         | dec                 eax
            //   ffca                 | mov                 dword ptr [esp + 0x78], eax
            //   745d                 | dec                 eax
            //   ffca                 | test                eax, eax
            //   740b                 | jne                 0x935
            //   41bf02020380         | mov                 edx, edi

        $sequence_3 = { 894718 448bf2 8bf2 e9???????? 8bcb }
            // n = 5, score = 400
            //   894718               | ror                 eax, 0x1c
            //   448bf2               | dec                 eax
            //   8bf2                 | add                 edx, esi
            //   e9????????           |                     
            //   8bcb                 | dec                 ecx

        $sequence_4 = { 895c2424 bf01000000 488b742470 4c8b642430 }
            // n = 4, score = 400
            //   895c2424             | mov                 byte ptr [esp + 0x67], al
            //   bf01000000           | dec                 ecx
            //   488b742470           | mov                 dword ptr [ebx - 0x3e], eax
            //   4c8b642430           | mov                 dword ptr [esp + 0x52], eax

        $sequence_5 = { 498b7318 498b7b20 4d8b7328 498be3 415f c3 4c8bdc }
            // n = 7, score = 400
            //   498b7318             | inc                 esp
            //   498b7b20             | cmp                 esi, dword ptr [esi]
            //   4d8b7328             | jae                 0x81a
            //   498be3               | inc                 esp
            //   415f                 | cmp                 esp, dword ptr [esi + 4]
            //   c3                   | dec                 ebp
            //   4c8bdc               | test                ebp, ebp

        $sequence_6 = { ff15???????? 4c8b842480000000 418b5750 488b4c2470 e8???????? 8bd8 89442420 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   4c8b842480000000     | inc                 ecx
            //   418b5750             | sub                 eax, eax
            //   488b4c2470           | cmp                 ecx, eax
            //   e8????????           |                     
            //   8bd8                 | jle                 0xb95
            //   89442420             | je                  0xbcb

        $sequence_7 = { 412a8914170000 8d43f0 6641d3e8 41018114170000 6645898110170000 eb1d 410fb781e40a0000 }
            // n = 7, score = 400
            //   412a8914170000       | mov                 ebx, 0x8004270c
            //   8d43f0               | mov                 dword ptr [esp + 0x70], 0x11c
            //   6641d3e8             | dec                 eax
            //   41018114170000       | lea                 ecx, [esp + 0x70]
            //   6645898110170000     | dec                 eax
            //   eb1d                 | test                eax, eax
            //   410fb781e40a0000     | jne                 0x155f

        $sequence_8 = { 0f8588000000 83242400 418bc1 c1e002 2bf8 48832600 4533c0 }
            // n = 7, score = 400
            //   0f8588000000         | dec                 ebp
            //   83242400             | mov                 eax, edi
            //   418bc1               | mov                 edx, 0x22824c
            //   c1e002               | dec                 ecx
            //   2bf8                 | mov                 ecx, ebp
            //   48832600             | call                ebx
            //   4533c0               | test                eax, eax

        $sequence_9 = { 897918 488b03 488b8898000000 89791c 488b03 488b8898000000 c7413809000000 }
            // n = 7, score = 400
            //   897918               | mov                 edx, 0x104
            //   488b03               | dec                 eax
            //   488b8898000000       | lea                 ecx, [esp + 0x250]
            //   89791c               | test                eax, eax
            //   488b03               | jne                 0x397
            //   488b8898000000       | mov                 dword ptr [esp + 0x24], 0x80070a01
            //   c7413809000000       | mov                 edx, 0x104

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules