Originally detected in 2014, the ROVNIX trojan writes malicious rootkit drivers into NTFS. The malicious driver then loads before the OS so it can hide itself from the OS and Anti-virus software. The latest version of ROVNIX is now uses a social engineering downloader similar to the original macro downloader that tricks the user into running the malicious code. The new ROVNIX sends the victim a legitimate looking commercial invoice, once the victim opens the attachment, they become infected. The malicious attachment will spawn a web-injected banking webpage aimed to trick the user into entering their banking credentials. Once the attacker has the banking credentials, they proceed to defraud the victim.
Thanks to our good friends at IBM X-Force, we are aware of the attack and can deploy countermeasures into our incident response.
Cybersyrup Information Security blog 