We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.
Though a fairly old method for infection, cybercriminals realized that using malicious macros work just fine–even against sophisticated defense measures.
ROVNIX Malware Routines
Based on our analysis, ROVNIX writes malicious rootkit drivers to an unpartitioned space of the NTFS drive. This effectively hides the driver since this unpartitioned space cannot be seen by the operating system and security products.
To load the malicious driver, ROVNIX modifies the contents of the IPL. This code is modified so that the malicious rootkit driver is loaded before the operating system. This technique essentially serves two purposes: to evade detection, and to load an unsigned driver for Windows versions 7 and onwards.
ROXNIX Infection Chain
In this attack, the malicious document contains a social engineering lure, specifically a fake alert from Microsoft® Office®, that instructs users to enable macro settings.
Figure 1. Screenshot of the document with the malicious macro
Enabling the macro triggers execution of the malicious macro code, detected as W97M_DLOADER.AI . The difference between this malicious macro and the previous one in the CRIDEX case is that ROXNIX is password-protected. This makes analyzing the malware difficult since the macro cannot be viewed or opened without the password or a special tool.
Figure 2. The malicious macro, ROVNIX, requires a password
Figure 3. Code snippet of the script
This malware script uses simple string concatenations and multiple variable substitutions in an attempt to obfuscate code and evade antivirus detection. When the macro is executed, it drops three separate hidden scripts of different types, including a Windows PowerShell script. This tactic implies that cybercriminals appear to target Windows 7 onwards, which has Windows PowerShell installed by default.
Figure 4. Files dropped by W97M_DLOADER.AI
The script named adobeacd-update.bat executes adobeacd-update.vbs (VBS_POWRUN.KG), elevates user privileges, and then executes another script, named adobeacd-update.ps1 (TROJ_POWDLOD.GN). TROJ_POWDLOD.GN then downloads and executes TROJ_ROVNIX.NGT from http//185[.]14[.]31[.]9/work.exe, which was found to be a ROVNIX loader.
Based on feedback from the Trend Micro™ Smart Protection Network™, Germany has the most number of users with infected systems.
Table 1. Top affected countries from November 6, 2014 – November 18, 2014
Conclusion
ROVNIX poses dangers to both users and enterprises since aside from its backdoor capabilities, it can steal passwords and record keystrokes. This attack may be used in data breaches as data theft is a main payload. In addition, this attack highlights the possibility that more malware may employ macro documents that abuse PowerShell to spread their malicious routines. Note, however that in this particular attack, PowerShell feature was not abused.
Users can secure their systems via this simple step of configuring their macro settings to maximum security. If the feature is needed for viewing documents, make sure that the files are from a trusted source. Trend Micro protects users from this threat via the Trend Micro™ Smart Protection Network™ that detects the malicious files.
The following are the related hashes:
- 92C090AA5487E188E0AB722A41CBA4D2974C889D
- 4C5C0B3DCCBFBDC1640B2678A3333E8C9EF239C5
With additional input by Rhena Inocencio
