AcidBox Malware Leveraging Turla Group’s Exploit to Target Russian Organizations

To increase the impact and intensity of their cyberattacks, several cybercriminals have started targeting legitimate virtualization platforms used in the organizations. A new malware was recently found exploiting bugs in the newer versions of VirtualBox.

AcidBox - The latest threat to virtualization

An analysis of the malware samples, known to be used in Turla’s VirtualBox exploit, showed that this malware has been used in highly targeted attacks.
  • Earlier this month, Palo Alto Networks’ Unit 42 found that a yet-to-be-identified cybergang had launched attacks against two different Russian organizations in 2017, by attacking the popular open-source virtualization software VirtualBox.
  • The cybergang developed an advanced malware, dubbed AcidBox, to abuse a bug (CVE-2008-3431), in the Windows Vista security mechanism called Driver Signature Enforcement (DSE). The malware also targeted a second DSE vulnerability tied to a signed VirtualBox driver (VBoxDrv.sys v1.6.2).
  • First seen in February 2020, the malware even targeted VirtualBox driver VBoxDrv.sys v1.6.2, along with all other versions up to v3.0.0.

Innovative evasion mechanisms using VirtualBox

Recently, cybercriminals were also observed leveraging VirtualBox as an evasion technique to thwart antivirus vendors and virus researchers.
  • In May 2020, the RagnarLocker ransomware operators were observed deploying Oracle VirtualBox to dodge security by hiding their presence inside a Windows XP virtual machine on the infected computers.
  • In December 2019, ZeroCleare malware was found using a vulnerable but signed driver from a version of Oracle's VirtualBox virtual machine software to bypass the signature checking of the driver allowing it to attack 64-bit versions of Windows.

Stay safe

Users should follow the fundamental principles of cybersecurity, like keeping the software and the host/guest operating systems up to date and restricting network access to critical services. Also, security teams should monitor system activity regularly for any anomalies in normal behavior.