Advanced malware, dubbed AcidBox, has been identified by researchers who say a mysterious cybergang used it twice against Russian organizations as far back as 2017. In a report released Wednesday, Palo Alto Networks’ Unit 42 sheds new light onto attacks against the popular open-source virtualization software VirtualBox that used the AcidBox malware.
Unit 42’s postmortem on the VirtualBox attacks begins in 2008 when researchers at Core Security found a bug in the Windows Vista security mechanism called Driver Signature Enforcement (DSE). The flaw allowed an attacker to disable DSE and install rogue software onto targeted instances of Oracle’s VirtualBox software. The bug (CVE-2008-3431) impacting VirtualBox driver VBoxDrv.sys was patched in version 1.6.4.
Fast forward to 2o14, and the notorious Turla Group developed the first malware to abused a third-party device driver to disable DSE, weaponizing Core Security’s research. The Turla Group attacks also focused on VirtualBox drivers. And despite Oracle’s 2008 patch, Turla operators successfully figured out how to disabled DSE with its malware. That’s because, according to Unit 42, despite the bug (CVE-2008-3431) fix, only one of two vulnerabilities were patched in 2008.
“The exploit used by Turla actually abuses two vulnerabilities — of which, only one was ever fixed [with CVE-2008-3431],” Unit 42 wrote in its report posted Wednesday. The Turla Group malware, researchers said, also targeted a second DSE vulnerability tied to a signed VirtualBox driver (VBoxDrv.sys v1.6.2) using what would later be identified as AcidBox malware.
Fast forward to 2019, and that’s when Unit 42 said it first discovered a sample of AcidBox that had been uploaded to VirusTotal. Researchers then traced the AcidBox malware to fresh attacks against the VirtualBox driver VBoxDrv.sys v1.6.2, along with all other versions up to v3.0.0 (the current VirtualBox version is 6).
“Because of the malware’s complexity, rarity, and the fact that it’s part of a bigger toolset, we believe it was used by an advanced threat actor for targeted attacks and it’s likely that this malware is still being used today if the attacker is still active,” wrote Dominik Reichel and Esmid Idrizovic, researchers with Palo Alto Networks’ Unit 42 team.
Despite similarities between the Turla Group and the cybergang behind the recent VirtualBox attacks, researchers said the two threat groups are not linked. Turla, also known as Venomous Bear, Waterbug and Uroboros, is a Russian-speaking threat actor known since 2014.
VirtualBox Exploit
The exploit that was used by Turla abuses two vulnerabilities. The first flaw (CVE-2008-3431), fixed in 2008, exists in the VBoxDrvNtDeviceControl function in VBoxDrv.sys. The function does not properly validate a buffer associated with the Irp object, allowing local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.
However, the second vulnerability is still unpatched, and was used in a newer version of Turla’s exploit, which researchers believe was introduced in 2014 in the threat group’s kernelmode malware. It is this exploit that the yet-to-be-known threat actor behind AcidBox leveraged in the 2017 attack against the two Russian firms.
Reichel told Threatpost that the unpatched flaw “never got a CVE since it was naturally (i.e. unintentionally) patched in version 3.0.0.”
“[AcidBox] uses a known VirtualBox exploit to disable Driver Signature Enforcement in Windows, but with a new twist: While it’s publicly known that VirtualBox driver VBoxDrv.sys v1.6.2 is vulnerable and used by Turla, this new malware uses the same exploit but with a slightly newer VirtualBox version,” said researchers.
The Malware
The AcidBox malware itself is a complex modular toolkit. Researchers only have access to a small part of this toolkit. They found four 64-bit usermode DLLs and an unsigned kernelmode driver. Three (out of those four usermode samples (msv1_0.dll, pku2u.dll, wdigest.dll) have identical functionality and are loaders for the main worker module, researchers said.
Researchers also noted that attackers are using their own DEF files (instead of __declspec(dllexport), which adds the export directive to the object file so users do not need to use a DEF file) to give instructions for when to import or export its DLLs. A DEF file (or module-definition file) is a text file containing one or more module statements that describe various attributes of a DLL. When a DEF file is used, attackers can choose which ordinal their export function will have.
“This is not possible with __declspec(dllexport) as the Visual Studio compiler always counts your functions starting from one,” said researchers. “Using a DEF file instead of __declspec(dllexport) has some advantages. You are able to export functions by ordinals and you can also redirect functions among other things. The disadvantage is that you have to maintain an additional file within your project.”
Reichel told Threatpost there’s still a lot of unknowns about the malware, but he’s “encouraging the cybersecurity community to help collaborate with us and share any additional information about this threat if they have it,” he said.
Moving forward, AcidBox is a “very rare” malware that is probably used in highly targeted attacks, researchers said.
“While AcidBox doesn’t use any fundamentally new methods, it breaks the myth that only VirtualBox VBoxDrv.sys 1.6.2 can be used for Turla’s exploit,” they said. “Appending sensitive data as an overlay in icon resources, abusing the SSP interface for persistence and injection and payload storage in the Windows registry puts it into the category of interesting malware.”
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyar, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.