Security News > 2020 > June > Mysterious 'AcidBox' Malware Used Turla Exploit to Target Russian Organizations
Targeted attacks delivering a new piece of malware leveraged an exploit previously associated with the Russian-linked Turla hacking group, Palo Alto Networks reveals.
Believed to be operating on behalf of the Russian Federal Security Service and also known as Waterbug, Venomous Bear and KRYPTON, Turla was the first threat actor known to have abused a third-party device driver to disable Driver Signature Enforcement, a security feature introduced in Windows Vista to prevent the loading of unsigned drivers.
The adversary targeted at least two different Russian organizations in 2017 by exploiting version 2.2.0 of the driver, likely because this iteration wasn't known to be vulnerable.
The attackers deployed a previously unknown malware family, which the researchers named AcidBox.
A complex piece of malware part of a bigger toolset, AcidBox is likely associated with an advanced threat actor and might still be in use today, provided that the attacker is still active.
News URL
Related news
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- macOS HM Surf vuln might already be under exploit by major malware family (source)
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- Russian charged by U.S. for creating RedLine infostealer malware (source)
- Uncle Sam outs a Russian accused of developing Redline infostealing malware (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims (source)
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)