AcidBox – VirtualBox Exploit
In 2014 a new threat actor entered the playing field, where Estonian intelligence believes the group to have Russian origins and operates on the behalf of FSB (Federal Security Service), the security and counterintelligence organization of Russia. Notoriously known for an exploit disabling Driver Signature Enforcement, which prevents unsigned drivers from being loaded into kernel space, the highest layer of privilege in an operating system. Turla Group exploited the VirtualBox driver to deactivate DSE and load malicious drivers. Two exploits were used in this attack back in 2014 when Turla Group introduced their kernel malware, only one of which was patched, CVE-2008-3431.
There are two vulnerabilities used in this exploit. The second unpatched vulnerability allows all VirtualBox drivers up to version 3.0.0 to be exploited. Where CVE-2008-3431 was limited to 1.6.2., this second unpatched vulnerability was found by an unknown threat actor, which they used against two different Russian organizations by exploiting version 2.2.0 of the VirtualBox Driver. These activities were discovered by Unit 42 of Palo Alto Networks. The actors used an unknown malware, dubbed ‘AcidBox’, which is believed to be used by an advanced threat actor due to its complexity and rarity. Unit 42 also believes that it is part of larger tool-set for the threat actor and likely being used today. Only relation this actor has with Turla Group is this exploit, so far and Unit 42 does not believe them to be tied.
Unit 42 has a well done and in-depth analysis on the specific working of exploit and the threat actor, see sources below. Unit 42 also provides the community with two Yara rules for detection and threat hunting, as well IOCs for Files, Mutexes, Hashes and Registries. An advanced malware that has maintained stealth and avoided detection since 2017 has been unsurfaced, while the researchers at Unit 42 expect more to reveal about this new threat actor.
Sources