Cybercriminals Use Macros to Deliver Rovnix Malware

The Rovnix Trojan has started leveraging macros embedded in innocent-looking Microsoft Word documents to infect computers, researchers at Trend Micro reported on Wednesday.

The use of macros in the infection chain is an old technique, but it can still be highly efficient. Last month, researchers at Palo Alto Networks reported that the Dridex banking Trojan, a successor of Cridex, was also leveraging macros.

However, in the case of Rovnix, the macros are password-protected, which makes the malware more difficult to analyze. Furthermore, cybercriminals have obfuscated the code with string concatenations and variable substitutions in an effort to evade detection by security products.

The Rovnix attacks analyzed by Trend Micro start with a Word document containing a fake alert from Microsoft Office instructing users to enable macro settings. Once the macro is enabled, the malicious code is executed and three different types of hidden scripts are dropped on the infected system.

One of them is a PowerShell script which, according to experts, indicates that the attackers are targeting machines running Windows 7 and later. Starting with Windows 7, the PowerShell task automation and configuration management framework is installed by default.

“The script named adobeacd-update.bat executes adobeacd-update.vbs (VBS_POWRUN.KG), elevates user privileges, and then executes another script, named adobeacd-update.ps1 (TROJ_POWDLOD.GN). TROJ_POWDLOD.GN then downloads and executes TROJ_ROVNIX.NGT from http//185[.]14[.]31[.]9/work.exe, which was found to be a ROVNIX loader,” Joie Salvio, a Trend Micro threat response engineer, wrote in a blog post.

Rovnix writes its rootkit driver to unpartitioned space on the NTFS drive in an effort to hide it from security solutions. The malware modifies the initial program load (IPL) so that the rootkit driver is loaded before the operating system. This helps the threat evade detection, and allows it to load an unsigned driver on Windows 7 and newer versions of the operating system.

A majority of the users infected with this piece of malware are based in Germany (95%), Trend Micro said. Some infections have also been spotted in the United Kingdom, the Netherlands, the United States and Belgium.

“ROVNIX poses dangers to both users and enterprises since aside from its backdoor capabilities, it can steal passwords and record keystrokes. This attack may be used in data breaches as data theft is a main payload,” Salvio wrote.

Researchers at Bitdefender have also been monitoring Rovnix. Earlier this month, the security firm reported spotting a campaign that focused on the United Kingdom. A total of more than 130,000 infected computers were detected.

An interesting component of the Rovnix Trojan is its domain generation algorithm (DGA). It uses words taken from the United States Declaration of Independence, the GNU Lesser General Public License, Request for Comments (RFC) pages, and other documents to generate command and control (C&C) domain names.