IBM X-Force researchers have discovered that the cybercrime gang operating the Rovnix Trojan has launched an aggressive new infection campaign in Japan.

Rovnix is the latest advanced malware to set its sights on Japan. Before it came the Shifu Trojan, which initiated attacks in Japan in August 2015. The gang that operates Rovnix is known to focus on European banks, but its current campaigns in Japan are nothing short of an onslaught, with 14 major brands on the target list.

About Rovnix

The infection campaigns, the first of which appeared in early December 2015, leverage malware-laden email messages, delivering Rovnix’s downloader concealed inside benign-looking .zip attachments. The spam itself comes from email addresses on .ru domains. It uses one of the most common ploys: a package delivery from international transport companies, urging recipients to open a waybill (Figure 1, below). That unwitting action covertly launches Rovnix’s downloader from the archive .zip attachment.

According to IBM X-Force researchers, Rovnix came to the Japanese battlefield highly prepared, with crafty email spam written in Japanese and a hefty configuration file that was fully and uniquely adapted to attack major banks.

Inside Rovnix’s Japan-specific configuration, our researchers have found attack schemes tailored to each targeted bank. The schemes leverage an infrastructure of external scripts that call on Rovnix’s elaborate webinjections.

Learn more about Staying ahead of threats with global threat intelligence

Webinjections Help Rovnix Succeed

The injection mechanism used by Rovnix is a commercial offering that was sold to cybercriminals in the underground by a developer who specializes in creating injections that perfectly mimic the look and feel of the targeted bank’s Web pages. They even adapt the flow of events to the target’s authentication scheme.

The webinjections facilitate the display of social engineering content on the bank’s Web pages as viewed from the infected user’s browser. For each bank, the injections used by Rovnix modify large parts of the original page, which is designed to trick the victim into divulging the second password or token for the ensuing fraudulent transaction.

In some cases, Rovnix further deploys injections that instruct victims to download an Android app onto a mobile device. That app contains Rovnix’s SMS hijacker. The Rovnix in the mobile app will then listen for incoming SMS messages containing transaction authorization codes from the bank.

The mix of language-specific social engineering and mobile malware proves that the gang behind Rovnix has adequately prepared for the campaigns with all the necessary means for defrauding Japanese victims.

Rovnix’s operators come to Japan at a time when attacks from Shifu seem to have died down. While it is not clear why the Shifu gang has slowed down its attacks in Japan, the territory still appears ripe and lucrative to other organized cybercrime gangs hailing from Eastern Europe.

A Global Perspective

Thanks to its bootkit feature, Rovnix is considered to be a highly persistent malware. In terms of Rovnix’s ranking on the global malware list this year, IBM X-Force data shows that Rovnix has climbed into the top 10 global malware list after the botnet takedown of NGRbot (aka DorkBot). Rovnix’s global reach is limited when compared with other malware like Dyre or Neverquest because it usually focuses attacks on one country at a time.

The chart below shows Rovnix’s ranking among the top offenders on the financial malware roster for the year of 2015 based on IBM Trusteer data.

At the time of this writing, the Rovnix sample analyzed by IBM X-Force is only properly detected as Rovnix by four antivirus vendors out of 54, or 7 percent.

What’s Next for Japan?

Up until 2015, Japan was relatively protected from the banking Trojan revolution that has been affecting banks since the early 2000s thanks in large part to its language. That grace period came to an end when organized cybercrime, with ample funding for a new project, emerged in the Asia-Pacific region.

Starting in the summer of 2015, Japan began seeing some of the world’s most sophisticated banking Trojans attack banks in the country. From Japan-focused codes such as Tsukuba to the highly modular Shifu and now Rovnix, it is clear that the Japanese financial sector is under attack. It is now recognized as a lucrative target to cybercriminals from Japan and Eastern Europe.

IBM X-Force researchers expect Rovnix to continue its attacks in Japan and intensify campaigns in the country. We also expect to see other privately held malware gangs from within the country and Eastern Europe target financial entities in Japan.

IBM Security Trusteer has worked with customers to study and stop Rovnix attacks and can be of help to banks that wish to learn more about this high-risk threat. To stop threats like Rovnix, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in your region.

On the bank’s side, fighting evolving threats like Rovnix’s bootkit variants is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Learn why global threat intelligence is critical in the fight against web fraud

more from Malware

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…