SYMBOLCOMMON_NAMEaka. SYNONYMS
win.acidbox (Back to overview)

AcidBox

aka: MagicScroll

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-17paloalto Networks Unit 42Dominik Reichel, Esmid Idrizovic
@online{reichel:20200617:acidbox:556ade7, author = {Dominik Reichel and Esmid Idrizovic}, title = {{AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations}}, date = {2020-06-17}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/acidbox-rare-malware/}, language = {English}, urldate = {2020-06-18} } AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
AcidBox
2020-05-26EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } ACIDBOX Clustering
AcidBox
Yara Rules
[TLP:WHITE] win_acidbox_auto (20211008 | Detects win.acidbox.)
rule win_acidbox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.acidbox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7541 4803ce 0fb601 3bd0 7537 4803ce 0fb601 }
            // n = 7, score = 400
            //   7541                 | mov                 dword ptr [esp + 0x28], 1
            //   4803ce               | and                 dword ptr [esp + 0x20], eax
            //   0fb601               | inc                 ebp
            //   3bd0                 | xor                 eax, eax
            //   7537                 | mov                 dword ptr [esp + 0x40], eax
            //   4803ce               | test                eax, eax
            //   0fb601               | jne                 0x1092

        $sequence_1 = { 458bcf 4c8bc7 418bd7 488d8c2490000000 e8???????? 89442430 85c0 }
            // n = 7, score = 400
            //   458bcf               | dec                 ebp
            //   4c8bc7               | mov                 ecx, edx
            //   418bd7               | dec                 eax
            //   488d8c2490000000     | shr                 eax, 0x3d
            //   e8????????           |                     
            //   89442430             | dec                 ecx
            //   85c0                 | shl                 ecx, 3

        $sequence_2 = { 458bcf 4c8bc3 ba38000000 488d8c24e8000000 e8???????? 8bd0 }
            // n = 6, score = 400
            //   458bcf               | je                  0x1f12
            //   4c8bc3               | dec                 eax
            //   ba38000000           | lea                 eax, dword ptr [esp + 0x68]
            //   488d8c24e8000000     | dec                 eax
            //   e8????????           |                     
            //   8bd0                 | mov                 dword ptr [esp + 0x20], eax

        $sequence_3 = { 488d8e50010000 4c8bca 4c8bc3 e8???????? 85c0 7408 41b9060a00a0 }
            // n = 7, score = 400
            //   488d8e50010000       | dec                 ebp
            //   4c8bca               | test                eax, eax
            //   4c8bc3               | je                  0x207c
            //   e8????????           |                     
            //   85c0                 | dec                 ebp
            //   7408                 | mov                 esi, eax
            //   41b9060a00a0         | dec                 esp

        $sequence_4 = { 0f848b020000 e9???????? 83e908 74e9 }
            // n = 4, score = 400
            //   0f848b020000         | movzx               eax, byte ptr [ecx]
            //   e9????????           |                     
            //   83e908               | mov                 ecx, esi
            //   74e9                 | dec                 ecx

        $sequence_5 = { 4155 4156 4157 4881ec20010000 488bf9 }
            // n = 5, score = 400
            //   4155                 | dec                 ecx
            //   4156                 | mov                 esi, dword ptr [ebx + 0x40]
            //   4157                 | mov                 eax, edx
            //   4881ec20010000       | shr                 eax, 1
            //   488bf9               | inc                 esp

        $sequence_6 = { 72da 8b477c 410fb7ce 83c6fd 410fb70442 664123c8 }
            // n = 6, score = 400
            //   72da                 | test                eax, eax
            //   8b477c               | jne                 0x9f0
            //   410fb7ce             | mov                 ebx, 0xa0040d0c
            //   83c6fd               | dec                 eax
            //   410fb70442           | mov                 ebx, eax
            //   664123c8             | dec                 eax

        $sequence_7 = { ff15???????? 4c8bf0 4889442470 4885c0 750a bb04130480 e9???????? }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   4c8bf0               | inc                 ebp
            //   4889442470           | xor                 eax, eax
            //   4885c0               | mov                 edx, 0xc0000000
            //   750a                 | jne                 0x8a3
            //   bb04130480           | dec                 esp
            //   e9????????           |                     

        $sequence_8 = { bb06080280 ff15???????? 488bf0 4885c0 0f84a1010000 488bd0 }
            // n = 6, score = 400
            //   bb06080280           | inc                 ecx
            //   ff15????????         |                     
            //   488bf0               | mov                 edx, ecx
            //   4885c0               | mov                 al, byte ptr [ecx]
            //   0f84a1010000         | test                al, al
            //   488bd0               | je                  0xc2e

        $sequence_9 = { 488bf0 4885c0 750a bb04080280 e9???????? 488bd5 4c8bcd }
            // n = 7, score = 400
            //   488bf0               | dec                 eax
            //   4885c0               | test                eax, eax
            //   750a                 | je                  0x28d
            //   bb04080280           | mov                 dword ptr [esp + 0x28], 1
            //   e9????????           |                     
            //   488bd5               | inc                 esp
            //   4c8bcd               | mov                 dword ptr [esp + 0x20], esi

    condition:
        7 of them and filesize < 589824
}
Download all Yara Rules