SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20221125 | Detects win.acidbox.)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.acidbox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33d2 ff15???????? 488b0b 4889a998000000 4c8b03 4d85c0 740f }
            // n = 7, score = 400
            //   33d2                 | mov                 ecx, dword ptr [esi + 0x58]
            //   ff15????????         |                     
            //   488b0b               | inc                 ecx
            //   4889a998000000       | mov                 ebp, dword ptr [esi + 0x34]
            //   4c8b03               | inc                 ecx
            //   4d85c0               | mov                 ebx, dword ptr [esi + 0x40]
            //   740f                 | inc                 ebp

        $sequence_1 = { 48c740b88bc148c1 48c740c0e809488b 48c740c814c2488b 48c740d0c148c1e8 c740d803f6c10f }
            // n = 5, score = 400
            //   48c740b88bc148c1     | cmp                 ebp, dword ptr [edx + 0x16f4]
            //   48c740c0e809488b     | jb                  0x41d
            //   48c740c814c2488b     | movzx               ebx, word ptr [edi + 0x402]
            //   48c740d0c148c1e8     | inc                 ecx
            //   c740d803f6c10f       | mov                 ecx, dword ptr [edx + 0x1714]

        $sequence_2 = { 488d9424a0020000 488d8c24e0030000 ff15???????? 4c8bf8 4889442460 4883f8ff 74a3 }
            // n = 7, score = 400
            //   488d9424a0020000     | je                  0x260
            //   488d8c24e0030000     | je                  0x27a
            //   ff15????????         |                     
            //   4c8bf8               | test                edx, edx
            //   4889442460           | je                  0x27a
            //   4883f8ff             | dec                 ebp
            //   74a3                 | test                eax, eax

        $sequence_3 = { 418bd8 448bea c740c801020380 33ff 488978e0 4533e4 4c8960d8 }
            // n = 7, score = 400
            //   418bd8               | mov                 esi, edx
            //   448bea               | dec                 ebp
            //   c740c801020380       | or                  ecx, eax
            //   33ff                 | inc                 esp
            //   488978e0             | mov                 esi, edx
            //   4533e4               | dec                 ecx
            //   4c8960d8             | shr                 edx, 0x20

        $sequence_4 = { 664489749602 664489749e02 4489b7ac0b0000 488bd6 4503f4 e8???????? 83bf9c14000002 }
            // n = 7, score = 400
            //   664489749602         | dec                 esp
            //   664489749e02         | mov                 edi, dword ptr [esp + 0x50]
            //   4489b7ac0b0000       | dec                 ecx
            //   488bd6               | mov                 ecx, edi
            //   4503f4               | mov                 dword ptr [esi + 0x58], eax
            //   e8????????           |                     
            //   83bf9c14000002       | mov                 ebx, 0x18a

        $sequence_5 = { 418bd8 217808 488bea 4885c9 7466 4885d2 7461 }
            // n = 7, score = 400
            //   418bd8               | xor                 edi, edi
            //   217808               | dec                 ecx
            //   488bea               | mov                 dword ptr [ebx - 0x10], edi
            //   4885c9               | dec                 eax
            //   7466                 | test                ecx, ecx
            //   4885d2               | je                  0x1221
            //   7461                 | dec                 eax

        $sequence_6 = { 488905???????? 4885c0 0f841e010000 48894008 488900 4489742424 498bd6 }
            // n = 7, score = 400
            //   488905????????       |                     
            //   4885c0               | mov                 dword ptr [ebp - 9], esi
            //   0f841e010000         | dec                 eax
            //   48894008             | mov                 dword ptr [ebp + 0xf], eax
            //   488900               | dec                 eax
            //   4489742424           | mov                 dword ptr [ebp + 0x67], eax
            //   498bd6               | dec                 eax

        $sequence_7 = { 83e908 c1e10c 81c100080000 4439bbb0000000 7d22 8b93ac000000 413bd7 }
            // n = 7, score = 400
            //   83e908               | dec                 ecx
            //   c1e10c               | mov                 dword ptr [ebx - 0x38], eax
            //   81c100080000         | test                eax, eax
            //   4439bbb0000000       | jne                 0x122
            //   7d22                 | mov                 edx, dword ptr [edi]
            //   8b93ac000000         | mov                 ebx, 0x80020806
            //   413bd7               | dec                 eax

        $sequence_8 = { 89442430 85c0 751e 488b442478 488906 8b8424c0010000 }
            // n = 6, score = 400
            //   89442430             | mov                 esi, ecx
            //   85c0                 | xor                 ebx, ebx
            //   751e                 | inc                 ecx
            //   488b442478           | or                  esi, 0xffffffff
            //   488906               | inc                 ecx
            //   8b8424c0010000       | push                edi

        $sequence_9 = { 4885d2 746e ff15???????? 488be8 85c0 7461 4c8bc7 }
            // n = 7, score = 400
            //   4885d2               | mov                 edi, ecx
            //   746e                 | dec                 eax
            //   ff15????????         |                     
            //   488be8               | mov                 eax, dword ptr [edi + 0x20]
            //   85c0                 | dec                 esp
            //   7461                 | mov                 dword ptr [ebp - 0x20], ecx
            //   4c8bc7               | cmp                 esi, 0x10

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules