Rozena File-less Backdoor Malware
Rozena malware also known as Bedep, is a backdoor malware first observed in 2015. It has recently reappeared using a new file-less format to reduce detection rates from anti-virus and security products.
Rozena is typically distributed as an executable file, disguised as a Microsoft Word document, through several different delivery vectors. These vectors include; malicious attachments in spam or phishing campaigns, drive-by-downloads from compromised sites and downloaded by secondary malware. Once opened, this executable creates an encrypted text file and an obfuscated PowerShell script called CREATOR. CREATOR is responsible for creating a secondary script called DECODER, which then decrypts the text file to obtain a final script referred to as INJECTOR.
INJECTOR will then inject the Rozena shellcode into the targeted system and initiate communications with a command and control server using a reverse TCP connection. Once installed, Rozena provides a remote attacker with full access to the affected system; although at the time of publication it is unclear what their intention is.
Affected Platforms
Microsoft Windows – All versions
Indicators of Compromise
SHA256 File Hashes
- c23d6700e93903d05079ca1ea4c1e36151cdba4c5518750dc604829c0d7b80a7
- d906dc14dae9f23878da980aa0a3108c52fc3685cb746702593dfa881c23d13f
Filenames
- Hi6kI7hcxZwU.txt
IP Addresses
- 18[.]231[.]121[.]185
Ports
- 443
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.