The main worker will then load the malware via a VirtualBox exploit and will remain inactive, waiting for commands from one of its components. It will also use the exported UpdateContext function as its start address.Ī standard SSP DLLs provided in Windows 7 as part of the “Security Packages” value. The main DLL will then be prepared for loading in the memory by creating a thread for the module. Researchers explain that an SSP DLL will decrypt the main DLL from the registry by XORing the data key 0xCA. The three components are designed to load the main worker module stored in the registry and encrypted within a data blob that contains various other metadata. However, the malware abuses the SSP interference for persistence and injection purposes. These usermode DLLs are created as Security Support Providers (SSP), usually used as security mechanisms such as authentication between client/server apps. Three out of the four usermode DLLs ( msv1_0.dll, pku2u.dll, wdigest.dll ) are loaders for the main worker module. Only a small part of this kit has been analyzed, revealing four 64-bit usermode DLLs and an unsigned kernelmode driver. The researchers report that AcidBox is a modular threat that is just a piece of a bigger malware toolkit. The dangerous malware uses a surprising set of well-forgotten vulnerabilities and techniques to target Windows systems through the popular open-source software. A mysterious cyber gang, who has allegedly targeted Russian organizations since 2017, was linked to the new malware strain, researchers at Palo Alto Networks’ Unit 42 report.
When the warning appears, click Install this driver software anyway.A new advanced malware called AcidBox was discovered targeting an unpatched vulnerability in the popular sandbox environment VirtualBox.
Hold down the Windows key on your keyboard and press the letter C to open the Charm menu, then click the gear icon (Settings )Ĥ. Restart your computer to install unsigned driversġ. This disables drivers signing in Windows 7, and now you can install unsigned drivers in Windows 7.In the underlying options, choose ‘Ignore’.Choose ‘Enabled’ in the window that appears.In the right panel, double click on ‘Code Signing for Device Drivers’.Expand ‘Administrative Templates’ (it’s under ‘User Configuration’).Type gpedit.msc to open the local groups policy editor.Hit the Win+R keys together to open the run dialog.
How to disable driver signature verification Windows 7