Password protected document spreads banking malware

New malware have been uncovered by TrendMicro that is targeting users to grab bank credentials. Today most people use the online banking services to pay for any product and this makes such malware very dangerous and will allow cybercrminals to control victim bank account.

The malware is called ROVNIX which is a rootkit drivers that will hide itself in the a unpartitioned space of the NTFS drive this will make windows operating system do not recognize the malware or its content and security program as a result will not scan this partition.

The attack will start by a word document ask users to enable macro settings on office, this will promote executing the malware. the malicious macro code is protected by password to prevent reversing it or being identified by security program and by executing the malware it will drop three types of script including a powershell based one.

ROVNIX1Screenshot for the infected document sourced TrendMicro

Executing scripts will be sequentially the first script will elevate user privileges, the second will download the malicious Trojan and run it. 95% of infected systems are located in Germany, UK comes at the second place and Netherlands on the third place on number of infected users.

Share