Attackers have found a new way to exploit and compromise organisations by targeting virtualization software. In 2008, a highly notorious pro-Russian Advanced Persistent Threat (APT) group exploited vulnerabilities in a virtualization software victimising many organisations. Lately probing attacks on Russian organisations in 2017 researchers discovered a ‘rare’ malware which functioned by leveraging a previous exploit using an arsenal of highly crafted malicious malware, dubbed as-AcidBox. The yet-to-be-known threat actor/cybergang employed rare malware in targeted attacks.
Turla’s Exploit
Also known as Waterbug, Venomous Bear and KRYPTON, Turla’s inception dates back to 2007. Allegedly believed to work under the Russian Federal Security Service (FSB), Turla has a long list of victims. The APT targets include diplomatic and government organisations and private businesses of Middle-East, Asia, Europe, North and South America, and the former Soviet states (yes, not Russia).
Turla APT was the first known cybergang to abuse a third-party device driver to disable a security feature in Windows Vista called the Driver Signature Enforcement (DSE). The DSE prevents the intrusions of unsigned drivers into kernel space.
Turla’s exploit, known as the CVE-2008-3431 (Common Vulnerabilities and Exposures), targeted a signed VirtualBox driver VBoxDrv.sys v1.6.2. Using the compromised signed driver these cyber crooks shut down the DSE mechanism which allowed them to load their unsinged rogue drivers. This attack in 2008 is recognised as the first attack of its kind. Oracle patched the bug claiming VirtualBox driver VBoxDrv.sys in version 1.6.4. AcidBox is sought to be a member of the malware family used by Turla APT.
Turla exploited two vulnerabilities, one of which remains unpatched. The unamended vulnerability in VBoxDrv.sys v1.6.2 is what is abused by an unidentified threat actor targeting two Russian firms in 2017. And the “complex” and “rare” malware used in this attack is a leveraged one of Turla’s VirtualBox exploit; researchers dubbed that as the “AcidBox”.
AcidBox
By leveraging Turla’s exploit and using AcidBox malware, the threat actor targeted two Russian firms in 2017, compromising VirtualBox driver v2.2.0. Besides, having similar attacking tactics against VirtualBox, the threat actor is not believed to have ties with the pro-Russian Turla APT.
AcidBox disables the Driver Signature Enforcement in Windows and loads malicious unsigned drivers. But what makes it an interesting malware for researchers is its technique of appending sensitive data as an overlay in icon resources, tampering with the SSP interface for persistence and injection and payload storage in the Windows registry.
The yet-to-be-known threat used a highly complex and rare, possibly rewritten, malware which breaks the myth that only VirtualBox VBoxDrv.sys v1.6.2 can be compromised using Turla’s exploit. On top of it, AcidBox has fresh attacks on VirtualBox from versions 1.6.2 to 3.0.0. The unpatched vulnerability in 2008 was, however, naturally patched in v3.0.0.
What makes AcidBox rare and complex?
Researchers conceited AcidBox malware as “rare’ and “complex” toolkit employed in highly targeted attacks. They could only analyze and study a small portion of it. With the help of other security firms, Unit 42 researchers found four 64-bit user-mode DLLs and an unsigned kernel-mode driver. The user-mode DLLs load the main workers from the Windows registry and the driver is embedded in the main work sample.
Palo Alto Networks’ Unit 42 researchers found that the unknown threat actor used his/her own DEF files to give instructions for when to import or export malicious DLLs. A DEF (Module-definition file) contains module(s) describing the attributes of a DLL. The attacker used DEF file instead of __declspec (dllexport), which adds the export directive to the object file, preventing the users to use DEF file.
Moreover, exploiting the exposed vulnerability using __declspec (dllexport) is not possible as the Visual Studio compiler always keeps a track of the activities starting from first. Using a DEF file over __declspec lets the attackers choose which ordinal their export function will have. Using an additional file for the project is the only disadvantage in it.
Mitigation and Prevention
Though AcidBox is employed in highly targeted attacks, there have been instances of VirtualBox invasions in the past years. This creates a call for cyber awareness.
System administrators should abide by the cyberethics to prevent any such highly advanced attacks. Like always keeping the operating system up-to-date.
63% of users in India use pirated software. This accrues the possibility of notorious cyberattacks, as a pirated system has no license and doesn’t have security updates. therefore, it is always better to use genuine products (like licensed Windows).
Regularly monitoring system activity for anomaly and rectifying accordingly, prevents further serious damage.
Palo Alto Networks issued two YARA rules for identifying such attacks. Along with them, a python script is provided which can help victims to obtain their sensitive data appended with the icon resources.
There are still many unknowns about AcidBox, and researchers are “encouraging the cybersecurity community to help collaborate with them and share any additional threat information if they have it”. Being updated is the only key to be safe for you and for your system.
Ayush Dubey is an engineering student from IIIT Jabalpur. He has a comprehensive background in technology. Cybersecurity being his primary field of interest. He loves to meet people who are always in a hustle to learn new things.