Security Experts:

Connect with us

Hi, what are you looking for?



Cybercriminals Use Macros to Deliver Rovnix Malware

The Rovnix Trojan has started leveraging macros embedded in innocent-looking Microsoft Word documents to infect computers, researchers at Trend Micro reported on Wednesday.

The Rovnix Trojan has started leveraging macros embedded in innocent-looking Microsoft Word documents to infect computers, researchers at Trend Micro reported on Wednesday.

The use of macros in the infection chain is an old technique, but it can still be highly efficient. Last month, researchers at Palo Alto Networks reported that the Dridex banking Trojan, a successor of Cridex, was also leveraging macros.

However, in the case of Rovnix, the macros are password-protected, which makes the malware more difficult to analyze. Furthermore, cybercriminals have obfuscated the code with string concatenations and variable substitutions in an effort to evade detection by security products.

The Rovnix attacks analyzed by Trend Micro start with a Word document containing a fake alert from Microsoft Office instructing users to enable macro settings. Once the macro is enabled, the malicious code is executed and three different types of hidden scripts are dropped on the infected system.

One of them is a PowerShell script which, according to experts, indicates that the attackers are targeting machines running Windows 7 and later. Starting with Windows 7, the PowerShell task automation and configuration management framework is installed by default.

“The script named adobeacd-update.bat executes adobeacd-update.vbs (VBS_POWRUN.KG), elevates user privileges, and then executes another script, named adobeacd-update.ps1 (TROJ_POWDLOD.GN). TROJ_POWDLOD.GN then downloads and executes TROJ_ROVNIX.NGT from http//185[.]14[.]31[.]9/work.exe, which was found to be a ROVNIX loader,” Joie Salvio, a Trend Micro threat response engineer, wrote in a blog post.

Rovnix writes its rootkit driver to unpartitioned space on the NTFS drive in an effort to hide it from security solutions. The malware modifies the initial program load (IPL) so that the rootkit driver is loaded before the operating system. This helps the threat evade detection, and allows it to load an unsigned driver on Windows 7 and newer versions of the operating system.

A majority of the users infected with this piece of malware are based in Germany (95%), Trend Micro said. Some infections have also been spotted in the United Kingdom, the Netherlands, the United States and Belgium.

“ROVNIX poses dangers to both users and enterprises since aside from its backdoor capabilities, it can steal passwords and record keystrokes. This attack may be used in data breaches as data theft is a main payload,” Salvio wrote.

Researchers at Bitdefender have also been monitoring Rovnix. Earlier this month, the security firm reported spotting a campaign that focused on the United Kingdom. A total of more than 130,000 infected computers were detected.

An interesting component of the Rovnix Trojan is its domain generation algorithm (DGA). It uses words taken from the United States Declaration of Independence, the GNU Lesser General Public License, Request for Comments (RFC) pages, and other documents to generate command and control (C&C) domain names.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.