# ACIDBOX Clustering **epicturla.com/blog/acidbox-clustering** Jun 26 Written By [J A G-S](http://10.10.0.46/blog?author=5de05bd68772d028587d08bf) June 26, 2020 **Update 06.29.2020: As in all things, the wider wisdom of the threat intel community** provides greater context. The code overlaps I was pointing to while scarcer were not in fact unique. As [@TheEnergyStory points out, it’s Mbed TLS put through Visual Studio. Relevant](https://twitter.com/TheEnergyStory) tweets pictured here: ----- With that nailing the coffin on this false start, I hope folks will have better luck figuring out what to do with this interesting new cluster :) As I was looking over this blog, I realized I’d inadvertently settled into a once a month post and hadn’t been planning to post anything for June. However, doing some routine code similarity work, I stumbled upon something I felt like sharing for others to enjoy over the weekend. ----- Last week, Palo Alto Unit42 researchers Dominik Reichel and Esmid Idrizovic revealed their [discovery of ACIDBOX (a.k.a. KL: MagicScroll), a new and fascinating activity set](https://unit42.paloaltonetworks.com/acidbox-rare-malware/) [reminiscent of Remsec (a.k.a., KL_Project Sauron or SYMC_Strider) and using an exploit](https://securelist.com/faq-the-projectsauron-apt/75533/) technique of our dear Turla (namesake of this blog). Researchers were cautious about affirmatively clustering ACIDBOX to either in lieu of stronger evidence. With the prospect of possibly finding a new Remsec or Turla campaign or more of an unknown threat actor, I was eager to work on rules for this set in the hopes of unearthing more context. A few samples have trickled onto VirusTotal over the past week and based on these I was able to construct a well tested code similarity rule. While I haven’t had a chance to dig deeper into the findings, I wanted to present a curious early finding others may find interesting: _ACIDBOX (left) and Turla Nautilus Payload (right)_ This ACIDBOX DLL (sha256: eb30a1822bd6f503f8151cb04bfd315a62fa67dbfe1f573e6fcfd74636ecedd5) shows a good portion of code overlap with a peculiar Turla Nautilus sample reported by NCSC in November 2017. The next stage payload, ‘oxygen.dll’, is built with the same compiler (Microsoft Visual C/C++ 2013) and linker (Microsoft Linker 12.0), and meant to be decrypted in order to inject into a target process via reflective loading. While a portion of that similarity may be accounted for by common statically linked code, a shared crypto implementation merits more attention. eb30a1822bd6f503f8151cb04bfd315a62fa67dbfe1f573e6fcfd74636ecedd5: sub_18001A524 cefc5cf4d46abb86fb0f7c81549777cf1a2a5bfbe1ce9e7d08128ab8bfc978f8: sub_18002E694 ----- eb30a1822bd6f503f8151cb04bfd315a62fa67dbfe1f573e6fcfd74636ecedd5: sub_1800179AC cefc5cf4d46abb86fb0f7c81549777cf1a2a5bfbe1ce9e7d08128ab8bfc978f8: sub_1800275CC eb30a1822bd6f503f8151cb04bfd315a62fa67dbfe1f573e6fcfd74636ecedd5: sub_180017664 cefc5cf4d46abb86fb0f7c81549777cf1a2a5bfbe1ce9e7d08128ab8bfc978f8: sub_180024D70 Enjoy your weekend and Happy Hunting. [J A G-S](http://10.10.0.46/blog?author=5de05bd68772d028587d08bf) -----