A new variant of the RogueBin Trojan uses Google Drive as its Command & Control (C&C) server. The Trojan infects the victim's computers when the user opens a Microsoft Excel file containing embedded VBA macros. Once the macro is enabled, a .txt file is saved in the temporary directory, then the application "regsvr32.exe" is used to run it and finally a backdoor written in C# language is installed.
According to Palo Alto researchers, RogueRobin includes many stealth functions to check whether it is executed in the sandbox environment, including checking for virtualized environments, low memory, and common analysis tools running on the system. It also contains anti-debug code.
Like the original version, the new variant of RogueRobin also uses DNS tunneling, a technique of sending or retrieving data and commands through DNS query packets.