Rozena malware also known as Bedep, is a backdoor malware first observed in 2015. It has recently reappeared using a new file-less format to reduce detection rates from anti-virus and security products.
Rozena is typically distributed as an executable file, disguised as a Microsoft Word document, through several different delivery vectors. These vectors include; malicious attachments in spam or phishing campaigns, drive-by-downloads from compromised sites and downloaded by secondary malware. Once opened, this executable creates an encrypted text file and an obfuscated PowerShell script called CREATOR. CREATOR is responsible for creating a secondary script called DECODER, which then decrypts the text file to obtain a final script referred to as INJECTOR.
INJECTOR will then inject the Rozena shellcode into the targeted system and initiate communications with a command and control server using a reverse TCP connection. Once installed, Rozena provides a remote attacker with full access to the affected system; although at the time of publication it is unclear what their intention is.
Microsoft Windows – All versions
Indicators of Compromise
SHA256 File Hashes
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.