Security News > 2020 > June > Mysterious 'AcidBox' Malware Used Turla Exploit to Target Russian Organizations

Targeted attacks delivering a new piece of malware leveraged an exploit previously associated with the Russian-linked Turla hacking group, Palo Alto Networks reveals.
Believed to be operating on behalf of the Russian Federal Security Service and also known as Waterbug, Venomous Bear and KRYPTON, Turla was the first threat actor known to have abused a third-party device driver to disable Driver Signature Enforcement, a security feature introduced in Windows Vista to prevent the loading of unsigned drivers.
The adversary targeted at least two different Russian organizations in 2017 by exploiting version 2.2.0 of the driver, likely because this iteration wasn't known to be vulnerable.
The attackers deployed a previously unknown malware family, which the researchers named AcidBox.
A complex piece of malware part of a bigger toolset, AcidBox is likely associated with an advanced threat actor and might still be in use today, provided that the attacker is still active.
News URL
Related news
- Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Russian phishing campaigns exploit Signal's device-linking feature (source)
- Space Pirates Targets Russian IT Firms With New LuckyStrike Agent Malware (source)
- YouTube Game Cheats Spread Arcane Stealer Malware to Russian-Speaking Users (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection (source)