In April 2020, Kaspersky researchers saw the return of the well-known Rovinx bootkit – a malicious program created to load and protect malware from detection – in a campaign that exploited the pandemic. It was being distributed under the name “on the new initiative of the World Bank in connection with the coronavirus pandemic” in Russian.
Upgraded and featuring an unusual loader, the bootkit delivered a backdoor with Trojan-spyware capabilities to victims’ computers. It was being distributed under the name “on the new initiative of the World Bank in connection with the coronavirus pandemic” in Russian, which contained the well-known threat.
The bootkit featured a number of improvements such as a User Account Control (UAC) bypass mechanism, elevation of privileges on a device, and a loader that isn’t usually associated with this specific bootkit. The analysis of detected files showed that the payload was, in fact, a backdoor with Trojan-Spy elements, meaning that once installed on the infected device, the attacker would have access to the device and could also collect various types of information.
The bootkit was distributed via the file “on the new initiative of the World Bank in connection with the coronavirus pandemic.exe” – a self-extracting archive that serves up a doc file and an executable malicious file. To make it even more convincing, the document contained information about a new initiative from the World Bank, and real individuals related to the organization were cited as authors in the metadata. However, once opened the file would load the bootkit and start the infection process.