IBM X-Force researchers have discovered that the cybercrime gang operating the Rovnix Trojan has launched an aggressive new infection campaign in Japan.

Rovnix is the latest advanced malware to set its sights on Japan. Before it came the Shifu Trojan, which initiated attacks in Japan in August 2015. The gang that operates Rovnix is known to focus on European banks, but its current campaigns in Japan are nothing short of an onslaught, with 14 major brands on the target list.

About Rovnix

The infection campaigns, the first of which appeared in early December 2015, leverage malware-laden email messages, delivering Rovnix’s downloader concealed inside benign-looking .zip attachments. The spam itself comes from email addresses on .ru domains. It uses one of the most common ploys: a package delivery from international transport companies, urging recipients to open a waybill (Figure 1, below). That unwitting action covertly launches Rovnix’s downloader from the archive .zip attachment.

According to IBM X-Force researchers, Rovnix came to the Japanese battlefield highly prepared, with crafty email spam written in Japanese and a hefty configuration file that was fully and uniquely adapted to attack major banks.

Inside Rovnix’s Japan-specific configuration, our researchers have found attack schemes tailored to each targeted bank. The schemes leverage an infrastructure of external scripts that call on Rovnix’s elaborate webinjections.

Learn more about Staying ahead of threats with global threat intelligence

Webinjections Help Rovnix Succeed

The injection mechanism used by Rovnix is a commercial offering that was sold to cybercriminals in the underground by a developer who specializes in creating injections that perfectly mimic the look and feel of the targeted bank’s Web pages. They even adapt the flow of events to the target’s authentication scheme.

The webinjections facilitate the display of social engineering content on the bank’s Web pages as viewed from the infected user’s browser. For each bank, the injections used by Rovnix modify large parts of the original page, which is designed to trick the victim into divulging the second password or token for the ensuing fraudulent transaction.

In some cases, Rovnix further deploys injections that instruct victims to download an Android app onto a mobile device. That app contains Rovnix’s SMS hijacker. The Rovnix in the mobile app will then listen for incoming SMS messages containing transaction authorization codes from the bank.

The mix of language-specific social engineering and mobile malware proves that the gang behind Rovnix has adequately prepared for the campaigns with all the necessary means for defrauding Japanese victims.

Rovnix’s operators come to Japan at a time when attacks from Shifu seem to have died down. While it is not clear why the Shifu gang has slowed down its attacks in Japan, the territory still appears ripe and lucrative to other organized cybercrime gangs hailing from Eastern Europe.

A Global Perspective

Thanks to its bootkit feature, Rovnix is considered to be a highly persistent malware. In terms of Rovnix’s ranking on the global malware list this year, IBM X-Force data shows that Rovnix has climbed into the top 10 global malware list after the botnet takedown of NGRbot (aka DorkBot). Rovnix’s global reach is limited when compared with other malware like Dyre or Neverquest because it usually focuses attacks on one country at a time.

The chart below shows Rovnix’s ranking among the top offenders on the financial malware roster for the year of 2015 based on IBM Trusteer data.

At the time of this writing, the Rovnix sample analyzed by IBM X-Force is only properly detected as Rovnix by four antivirus vendors out of 54, or 7 percent.

What’s Next for Japan?

Up until 2015, Japan was relatively protected from the banking Trojan revolution that has been affecting banks since the early 2000s thanks in large part to its language. That grace period came to an end when organized cybercrime, with ample funding for a new project, emerged in the Asia-Pacific region.

Starting in the summer of 2015, Japan began seeing some of the world’s most sophisticated banking Trojans attack banks in the country. From Japan-focused codes such as Tsukuba to the highly modular Shifu and now Rovnix, it is clear that the Japanese financial sector is under attack. It is now recognized as a lucrative target to cybercriminals from Japan and Eastern Europe.

IBM X-Force researchers expect Rovnix to continue its attacks in Japan and intensify campaigns in the country. We also expect to see other privately held malware gangs from within the country and Eastern Europe target financial entities in Japan.

IBM Security Trusteer has worked with customers to study and stop Rovnix attacks and can be of help to banks that wish to learn more about this high-risk threat. To stop threats like Rovnix, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in your region.

On the bank’s side, fighting evolving threats like Rovnix’s bootkit variants is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Learn why global threat intelligence is critical in the fight against web fraud

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today