IBM X-Force researchers have discovered that the cybercrime gang operating the Rovnix Trojan has launched an aggressive new infection campaign in Japan.

Rovnix is the latest advanced malware to set its sights on Japan. Before it came the Shifu Trojan, which initiated attacks in Japan in August 2015. The gang that operates Rovnix is known to focus on European banks, but its current campaigns in Japan are nothing short of an onslaught, with 14 major brands on the target list.

About Rovnix

The infection campaigns, the first of which appeared in early December 2015, leverage malware-laden email messages, delivering Rovnix’s downloader concealed inside benign-looking .zip attachments. The spam itself comes from email addresses on .ru domains. It uses one of the most common ploys: a package delivery from international transport companies, urging recipients to open a waybill (Figure 1, below). That unwitting action covertly launches Rovnix’s downloader from the archive .zip attachment.

According to IBM X-Force researchers, Rovnix came to the Japanese battlefield highly prepared, with crafty email spam written in Japanese and a hefty configuration file that was fully and uniquely adapted to attack major banks.

Inside Rovnix’s Japan-specific configuration, our researchers have found attack schemes tailored to each targeted bank. The schemes leverage an infrastructure of external scripts that call on Rovnix’s elaborate webinjections.

Learn more about Staying ahead of threats with global threat intelligence

Webinjections Help Rovnix Succeed

The injection mechanism used by Rovnix is a commercial offering that was sold to cybercriminals in the underground by a developer who specializes in creating injections that perfectly mimic the look and feel of the targeted bank’s Web pages. They even adapt the flow of events to the target’s authentication scheme.

The webinjections facilitate the display of social engineering content on the bank’s Web pages as viewed from the infected user’s browser. For each bank, the injections used by Rovnix modify large parts of the original page, which is designed to trick the victim into divulging the second password or token for the ensuing fraudulent transaction.

In some cases, Rovnix further deploys injections that instruct victims to download an Android app onto a mobile device. That app contains Rovnix’s SMS hijacker. The Rovnix in the mobile app will then listen for incoming SMS messages containing transaction authorization codes from the bank.

The mix of language-specific social engineering and mobile malware proves that the gang behind Rovnix has adequately prepared for the campaigns with all the necessary means for defrauding Japanese victims.

Rovnix’s operators come to Japan at a time when attacks from Shifu seem to have died down. While it is not clear why the Shifu gang has slowed down its attacks in Japan, the territory still appears ripe and lucrative to other organized cybercrime gangs hailing from Eastern Europe.

A Global Perspective

Thanks to its bootkit feature, Rovnix is considered to be a highly persistent malware. In terms of Rovnix’s ranking on the global malware list this year, IBM X-Force data shows that Rovnix has climbed into the top 10 global malware list after the botnet takedown of NGRbot (aka DorkBot). Rovnix’s global reach is limited when compared with other malware like Dyre or Neverquest because it usually focuses attacks on one country at a time.

The chart below shows Rovnix’s ranking among the top offenders on the financial malware roster for the year of 2015 based on IBM Trusteer data.

At the time of this writing, the Rovnix sample analyzed by IBM X-Force is only properly detected as Rovnix by four antivirus vendors out of 54, or 7 percent.

What’s Next for Japan?

Up until 2015, Japan was relatively protected from the banking Trojan revolution that has been affecting banks since the early 2000s thanks in large part to its language. That grace period came to an end when organized cybercrime, with ample funding for a new project, emerged in the Asia-Pacific region.

Starting in the summer of 2015, Japan began seeing some of the world’s most sophisticated banking Trojans attack banks in the country. From Japan-focused codes such as Tsukuba to the highly modular Shifu and now Rovnix, it is clear that the Japanese financial sector is under attack. It is now recognized as a lucrative target to cybercriminals from Japan and Eastern Europe.

IBM X-Force researchers expect Rovnix to continue its attacks in Japan and intensify campaigns in the country. We also expect to see other privately held malware gangs from within the country and Eastern Europe target financial entities in Japan.

IBM Security Trusteer has worked with customers to study and stop Rovnix attacks and can be of help to banks that wish to learn more about this high-risk threat. To stop threats like Rovnix, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in your region.

On the bank’s side, fighting evolving threats like Rovnix’s bootkit variants is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Learn why global threat intelligence is critical in the fight against web fraud

More from Malware

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read