Rozena File-less Backdoor Malware

Rozena malware also known as Bedep, is a backdoor malware first observed in 2015. It has recently reappeared using a new file-less format to reduce detection rates from anti-virus and security products.

Rozena is typically distributed as an executable file, disguised as a Microsoft Word document, through several different delivery vectors. These vectors include; malicious attachments in spam or phishing campaigns, drive-by-downloads from compromised sites and downloaded by secondary malware. Once opened, this executable creates an encrypted text file and an obfuscated PowerShell script called CREATOR. CREATOR is responsible for creating a secondary script called DECODER, which then decrypts the text file to obtain a final script referred to as INJECTOR.

INJECTOR will then inject the Rozena shellcode into the targeted system and initiate communications with a command and control server using a reverse TCP connection. Once installed, Rozena provides a remote attacker with full access to the affected system; although at the time of publication it is unclear what their intention is.

Rozena uses the icon of a Microsoft Word file to disguise itself

Affected Platforms

Microsoft Windows – All versions

Indicators of Compromise

SHA256 File Hashes

  • c23d6700e93903d05079ca1ea4c1e36151cdba4c5518750dc604829c0d7b80a7
  • d906dc14dae9f23878da980aa0a3108c52fc3685cb746702593dfa881c23d13f


  • Hi6kI7hcxZwU.txt

IP Addresses

  • 18[.]231[.]121[.]185


  • 443

Image via –

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: