Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Use Macros to Deliver Rovnix Malware

The Rovnix Trojan has started leveraging macros embedded in innocent-looking Microsoft Word documents to infect computers, researchers at Trend Micro reported on Wednesday.

The Rovnix Trojan has started leveraging macros embedded in innocent-looking Microsoft Word documents to infect computers, researchers at Trend Micro reported on Wednesday.

The use of macros in the infection chain is an old technique, but it can still be highly efficient. Last month, researchers at Palo Alto Networks reported that the Dridex banking Trojan, a successor of Cridex, was also leveraging macros.

However, in the case of Rovnix, the macros are password-protected, which makes the malware more difficult to analyze. Furthermore, cybercriminals have obfuscated the code with string concatenations and variable substitutions in an effort to evade detection by security products.

The Rovnix attacks analyzed by Trend Micro start with a Word document containing a fake alert from Microsoft Office instructing users to enable macro settings. Once the macro is enabled, the malicious code is executed and three different types of hidden scripts are dropped on the infected system.

One of them is a PowerShell script which, according to experts, indicates that the attackers are targeting machines running Windows 7 and later. Starting with Windows 7, the PowerShell task automation and configuration management framework is installed by default.

“The script named adobeacd-update.bat executes adobeacd-update.vbs (VBS_POWRUN.KG), elevates user privileges, and then executes another script, named adobeacd-update.ps1 (TROJ_POWDLOD.GN). TROJ_POWDLOD.GN then downloads and executes TROJ_ROVNIX.NGT from http//185[.]14[.]31[.]9/work.exe, which was found to be a ROVNIX loader,” Joie Salvio, a Trend Micro threat response engineer, wrote in a blog post.

Rovnix writes its rootkit driver to unpartitioned space on the NTFS drive in an effort to hide it from security solutions. The malware modifies the initial program load (IPL) so that the rootkit driver is loaded before the operating system. This helps the threat evade detection, and allows it to load an unsigned driver on Windows 7 and newer versions of the operating system.

A majority of the users infected with this piece of malware are based in Germany (95%), Trend Micro said. Some infections have also been spotted in the United Kingdom, the Netherlands, the United States and Belgium.

Advertisement. Scroll to continue reading.

“ROVNIX poses dangers to both users and enterprises since aside from its backdoor capabilities, it can steal passwords and record keystrokes. This attack may be used in data breaches as data theft is a main payload,” Salvio wrote.

Researchers at Bitdefender have also been monitoring Rovnix. Earlier this month, the security firm reported spotting a campaign that focused on the United Kingdom. A total of more than 130,000 infected computers were detected.

An interesting component of the Rovnix Trojan is its domain generation algorithm (DGA). It uses words taken from the United States Declaration of Independence, the GNU Lesser General Public License, Request for Comments (RFC) pages, and other documents to generate command and control (C&C) domain names.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.