Rovnix Payload Analysis

The payload part of the Rovnix dropper i analyzed previously is the module that responsible to communicate with the C&C server and to install and load plugins.

It seems like Symantec detecting it as Carberp.C as can be seen in this blog post, i assume it is the same dropper and payload i am analyzing here because the C&C page names and the techniques used by the dropper are the same.

Payload Overview

The payload file SHA256 this analysis based on is:

08e3b7e04abe1aa43477a1befb0a05d4fd7cf1480c834f21ff2f7e894fed6a3f

As always you can download all the samples mentioned in this post and the decrypted web-injects here (Password: infected).

The payload capabilities include:

• Communicating with the C&C 
• Download additional C&C addresses
• Download and run plugins
• Download and run additional executable files

Rovnix Dropper Analysis (TrojanDropper:Win32/Rovnix.P)

The Win32/Rovnix family is known for its usage of a VBR based Bootkit in order to load itself before the Windows operating system starts to run.

In this post i am going to analyze a recent Rovnix dropper that is able to install its Bootkit component on a x86 and x86-64 Windows OS, the dropper contains at-least two previously known exploits in order to elevate its privileges on the system in case it doesn't have enough permissions to access the VBR.

This post will cover:

• Environment info - Which information is sent by the dropper to the C&C server and where in the registry the dropper writes its configuration.
• Anti-Analysis - The technique used by the dropper and the driver in order the detect sandboxes and to prevent the launching of analysis tools.
• Bootkit installation preparations - Which steps the dropper takes in order to make sure it will be able to install the Bootkit component.
• Payload - How the actual payload is installed in the system.
• Code and Module storage - How and where the dropper stores the files and shellcode that it uses throughout the installation process.

Quick analysis of a VisualBasic based Password-Stealer

After the analysis of Golroted i was able to get the key to the attacker's server (actually they gave it to me by embedding it in the code isn't it), using that key i was able to spot an email-message that was used in a spear-phishing campaign.

Spam message

The email-message had an attachment file that i am going to analyze in this post.

Quick analysis MSIL/Golroted (Stealer)

Golroted purpose is to steal various information from the victim machine (you can read the full description about it in the Microsoft Malware Protection Center).

This particular sample is obfuscated using Smart Assembly and packed inside a .NET based RunPE, after unpacking we can read the code of the malware.

This malware upload the information it steal from the victim through Email and\or FTP. The username and the password of the Email address and the FTP accounts stored in the file itself in an encrypted form.

Encrypted data