• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   ROVNIX Infects Systems with Password-Protected Macros

ROVNIX Infects Systems with Password-Protected Macros

  • Posted on:November 19, 2014 at 1:43 pm
  • Posted in:Malware
  • Author:
    Joie Salvio (Threat Response Engineer)
0

We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.

Though a fairly old method for infection, cybercriminals realized that using malicious macros work just fine–even against sophisticated defense measures.

ROVNIX Malware Routines

Based on our analysis, ROVNIX writes malicious rootkit drivers to an unpartitioned space of the NTFS drive. This effectively hides the driver since this unpartitioned space cannot be seen by the operating system and security products.

To load the malicious driver, ROVNIX modifies the contents of the IPL. This code is modified so that the malicious rootkit driver is loaded before the operating system. This technique essentially serves two purposes: to evade detection, and to load an unsigned driver for Windows versions 7 and onwards.

ROXNIX Infection Chain

In this attack, the malicious document contains a social engineering lure, specifically a fake alert from Microsoft® Office®, that instructs users to enable macro settings.

ROVNIX1

Figure 1. Screenshot of the document with the malicious macro

Enabling the macro triggers execution of the malicious macro code, detected as W97M_DLOADER.AI . The difference between this malicious macro and the previous one in the CRIDEX case is that ROXNIX is password-protected. This makes analyzing the malware difficult since the macro cannot be viewed or opened without the password or a special tool.

ROVNIX2

Figure 2. The malicious macro, ROVNIX, requires a password

ROVNIX3

Figure 3. Code snippet of the script

This malware script uses simple string concatenations and multiple variable substitutions in an attempt to obfuscate code and evade antivirus detection. When the macro is executed, it drops three separate hidden scripts of different types, including a Windows PowerShell script. This tactic implies that cybercriminals appear to target Windows 7 onwards, which has Windows PowerShell installed by default.

ROVNIX4

Figure 4. Files dropped by W97M_DLOADER.AI 

The script named adobeacd-update.bat executes adobeacd-update.vbs (VBS_POWRUN.KG), elevates user privileges, and then executes another script, named adobeacd-update.ps1 (TROJ_POWDLOD.GN). TROJ_POWDLOD.GN then downloads and executes TROJ_ROVNIX.NGT from http//185[.]14[.]31[.]9/work.exe, which was found to be a ROVNIX loader.

Based on feedback from the Trend Micro™ Smart Protection Network™, Germany has the most number of users with infected systems.

Table 1. Top affected countries from November 6, 2014 – November 18, 2014

Conclusion

ROVNIX poses dangers to both users and enterprises since aside from its backdoor capabilities, it can steal passwords and record keystrokes. This attack may be used in data breaches as data theft is a main payload. In addition, this attack highlights the possibility that more malware may employ macro documents that abuse PowerShell to spread their malicious routines. Note, however that in this particular attack, PowerShell feature was not abused.

Users can secure their systems via this simple step of configuring their macro settings to maximum security. If the feature is needed for viewing documents, make sure that the files are from a trusted source. Trend Micro protects users from this threat via the Trend Micro™ Smart Protection Network™ that detects the malicious files.

The following are the related hashes:

  • 92C090AA5487E188E0AB722A41CBA4D2974C889D
  • 4C5C0B3DCCBFBDC1640B2678A3333E8C9EF239C5

With additional input by Rhena Inocencio

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: CRIDEXmacromacro-based attackROVNIX

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.