December 9, 2023

A “very rare” malware has been used by an unknown threat actor in cyberattacks against two different Russian organizations in 2017.

Advanced malware, dubbed AcidBox, has been identified by researchers who say a mysterious cybergang used it twice against Russian organizations as far back as 2017.

Fast forward to 2o14, and the notorious Turla Group developed the first malware to abused a third-party device driver to disable DSE, weaponizing Core Security’s research. The Turla Group attacks also focused on VirtualBox drivers. And despite Oracle’s 2008 patch, Turla operators successfully figured out how to disabled DSE with its malware. That’s because, according to Unit 42, despite the bug (CVE-2008-3431) fix, only one of two vulnerabilities were patched in 2008.

“The exploit used by Turla actually abuses two vulnerabilities — of which, only one was ever fixed [with CVE-2008-3431],” Unit 42 wrote in its report posted Wednesday. The Turla Group malware, researchers said, also targeted a second DSE vulnerability tied to a signed VirtualBox driver (VBoxDrv.sys v1.6.2) using what would later be identified as AcidBox malware.

Despite similarities between the Turla Group and the cybergang behind the recent VirtualBox attacks, researchers said the two threat groups are not linked. Turla, also known as Venomous Bear, Waterbug and Uroboros, is a Russian-speaking threat actor known since 2014.

VirtualBox Exploit

The exploit that was used by Turla abuses two vulnerabilities. The first flaw (CVE-2008-3431), fixed in 2008, exists in the VBoxDrvNtDeviceControl function in VBoxDrv.sys. The function does not properly validate a buffer associated with the Irp object, allowing local users to gain privileges by opening the \.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.

The second vulnerability is still unpatched, and was used in a newer version of Turla’s exploit, which researchers believe was introduced in 2014 in the threat group’s kernelmode malware. It is this exploit that the yet-to-be-known threat actor behind AcidBox leveraged in the 2017 attack against the two Russian firms.

Acid box uses a known VirtualBox exploit to disable Driver Signature Enforcement in Windows, but with a new twist: While it’s publicly known that VirtualBox driver VBoxDrv.sys v1.6.2 is vulnerable and used by Turla, this new malware uses the same exploit but with a slightly newer VirtualBox version,” said researchers.

The Malware

The AcidBox malware itself is a complex modular toolkit. Researchers only have access to a small part of this toolkit. They found four 64-bit usermode DLLs and an unsigned kernelmode driver. Three (out of those four usermode samples (msv1_0.dll, pku2u.dll, wdigest.dll) have identical functionality and are loaders for the main worker module, researchers said.

Researchers also noted that attackers are using their own DEF files (instead of __declspec(dllexport), which adds the export directive to the object file so users do not need to use a DEF file) to give instructions for when to import or export its DLLs. A DEF file (or module-definition file) is a text file containing one or more module statements that describe various attributes of a DLL. When a DEF file is used, attackers can choose which ordinal their export function will have.

This is not possible with __declspec (dllexport) as the compiler always counts your functions starting from one,” said researchers. “Using a DEF file instead of __declspec (dllexport) has some advantages. You are able to export functions by ordinals and you can also redirect functions among other things. The disadvantage is that you have to maintain an additional file within your project.”

“While AcidBox doesn’t use any fundamentally new methods, it breaks the myth that only VirtualBox VBoxDrv.sys 1.6.2 can be used for Turla’s exploit,” they said. “Appending sensitive data as an overlay in icon resources, abusing the SSP interface for persistence and injection and payload storage in the Windows registry puts it into the category of interesting malware.”

Source : Threatpost

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d