The notorious Rovnix banking malware has landed in Japan in a sophisticated campaign detected by only 7% of AV vendors, according to IBM’s X-Force team.
Rovnix is well known in Europe, but this is the first time it’s been detected in the Land of the Rising Sun with 14 major banks targeted, IBM cybersecurity evangelist, Limor Kessem, explained in a blog post.
The gang behind this current campaign appear to have paid close attention to the local market to make it as profitable as possible.
Rovnix arrives in the form of an unsolicited email from an .ru domain containing a malicious .zip attachment disguised as a waybill from a transportation company.
The email is written in Japanese and the malware itself has been configured according to the particular bank targeted.
“The injection mechanism used by Rovnix is a commercial offering that was sold to cyber-criminals in the underground by a developer who specializes in creating injections that perfectly mimic the look and feel of the targeted bank’s web pages. They even adapt the flow of events to the target’s authentication scheme,” Kessem explained.
“The web injections facilitate the display of social engineering content on the bank’s web pages as viewed from the infected user’s browser. For each bank, the injections used by Rovnix modify large parts of the original page, which is designed to trick the victim into divulging the second password or token for the ensuing fraudulent transaction.”
On some occasions, additional Rovnix injections will instruct victims to download an Android app onto their mobile. This app actually contains an SMS hijacker element which will monitor any incoming messages containing banking transaction codes, IBM claimed.
Worse still, Rovnix is highly persistent thanks to a bootkit feature, and only detected by four out of 54 AV vendors appraised by X-Force.
The past year has seen Japan increasingly targeted by banking malware launched from Eastern Europe and within the country—most notably Shifu, which IBM claims has seen something of a decline of late.
“On the bank’s side, fighting evolving threats like Rovnix’s bootkit variants is made easier with the right malware detection solutions,” Kessem concluded.
“With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.”
Photo © Frank Boston