Connect with us

Hi, what are you looking for?



Cybercriminals Use Macros to Deliver Rovnix Malware

The Rovnix Trojan has started leveraging macros embedded in innocent-looking Microsoft Word documents to infect computers, researchers at Trend Micro reported on Wednesday.

The Rovnix Trojan has started leveraging macros embedded in innocent-looking Microsoft Word documents to infect computers, researchers at Trend Micro reported on Wednesday.

The use of macros in the infection chain is an old technique, but it can still be highly efficient. Last month, researchers at Palo Alto Networks reported that the Dridex banking Trojan, a successor of Cridex, was also leveraging macros.

However, in the case of Rovnix, the macros are password-protected, which makes the malware more difficult to analyze. Furthermore, cybercriminals have obfuscated the code with string concatenations and variable substitutions in an effort to evade detection by security products.

The Rovnix attacks analyzed by Trend Micro start with a Word document containing a fake alert from Microsoft Office instructing users to enable macro settings. Once the macro is enabled, the malicious code is executed and three different types of hidden scripts are dropped on the infected system.

One of them is a PowerShell script which, according to experts, indicates that the attackers are targeting machines running Windows 7 and later. Starting with Windows 7, the PowerShell task automation and configuration management framework is installed by default.

“The script named adobeacd-update.bat executes adobeacd-update.vbs (VBS_POWRUN.KG), elevates user privileges, and then executes another script, named adobeacd-update.ps1 (TROJ_POWDLOD.GN). TROJ_POWDLOD.GN then downloads and executes TROJ_ROVNIX.NGT from http//185[.]14[.]31[.]9/work.exe, which was found to be a ROVNIX loader,” Joie Salvio, a Trend Micro threat response engineer, wrote in a blog post.

Rovnix writes its rootkit driver to unpartitioned space on the NTFS drive in an effort to hide it from security solutions. The malware modifies the initial program load (IPL) so that the rootkit driver is loaded before the operating system. This helps the threat evade detection, and allows it to load an unsigned driver on Windows 7 and newer versions of the operating system.

Advertisement. Scroll to continue reading.

A majority of the users infected with this piece of malware are based in Germany (95%), Trend Micro said. Some infections have also been spotted in the United Kingdom, the Netherlands, the United States and Belgium.

“ROVNIX poses dangers to both users and enterprises since aside from its backdoor capabilities, it can steal passwords and record keystrokes. This attack may be used in data breaches as data theft is a main payload,” Salvio wrote.

Researchers at Bitdefender have also been monitoring Rovnix. Earlier this month, the security firm reported spotting a campaign that focused on the United Kingdom. A total of more than 130,000 infected computers were detected.

An interesting component of the Rovnix Trojan is its domain generation algorithm (DGA). It uses words taken from the United States Declaration of Independence, the GNU Lesser General Public License, Request for Comments (RFC) pages, and other documents to generate command and control (C&C) domain names.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...