Advanced malware, dubbed AcidBox, has been identified by researchers who say a mysterious cybergang used it twice against Russian organizations as far back as 2017. In a report released Wednesday, Palo Alto Networks’ Unit 42 sheds new light onto attacks against the popular open-source virtualization software VirtualBox that used the AcidBox malware.
Unit 42’s postmortem on the VirtualBox attacks begins in 2008 when researchers at Core Security found a bug in the Windows Vista security mechanism called
Driver Signature Enforcement (DSE). The flaw allowed an attacker to disable DSE and install rogue software onto targeted instances of Oracle’s VirtualBox software. The bug (CVE-2008-3431) impacting VirtualBox driver VBoxDrv.sys was patched in version 1.6.4.
Fast forward to 2o14, and the notorious Turla Group developed the first malware to abused a third-party device driver to disable DSE, weaponizing Core Security’s research. The Turla Group attacks also focused on VirtualBox drivers. And despite Oracle’s 2008 patch, Turla operators successfully figured out how to disabled DSE with its malware. That’s because, according to Unit 42, despite the bug (CVE-2008-3431) fix, only one of two vulnerabilities were patched in 2008.
“The exploit used by Turla actually abuses two vulnerabilities — of which, only one was ever fixed [with CVE-2008-3431],” Unit 42 wrote in
its report posted Wednesday. The Turla Group malware, researchers said, also targeted a second DSE vulnerability tied to a signed VirtualBox driver (VBoxDrv.sys v1.6.2) using what would later be identified as AcidBox malware.
unit42.paloaltonetworks.com
