Konnichiwa, Rovnix! Aggressive Malware Hits Japanese Banks

IBM X-Force researchers have discovered that the cybercrime gang operating the Rovnix Trojan has launched an aggressive new infection campaign in Japan.

Rovnix is the latest advanced malware to set its sights on Japan. Before it came the Shifu Trojan, which initiated attacks in Japan in August 2015. The gang that operates Rovnix is known to focus on European banks, but its current campaigns in Japan are nothing short of an onslaught, with 14 major brands on the target list.

About Rovnix

The infection campaigns, the first of which appeared in early December 2015, leverage malware-laden email messages, delivering Rovnix’s downloader concealed inside benign-looking .zip attachments. The spam itself comes from email addresses on .ru domains. It uses one of the most common ploys: a package delivery from international transport companies, urging recipients to open a waybill (Figure 1, below). That unwitting action covertly launches Rovnix’s downloader from the archive .zip attachment.

Fake waybill sent in Rovnix malware spam

According to IBM X-Force researchers, Rovnix came to the Japanese battlefield highly prepared, with crafty email spam written in Japanese and a hefty configuration file that was fully and uniquely adapted to attack major banks.

Inside Rovnix’s Japan-specific configuration, our researchers have found attack schemes tailored to each targeted bank. The schemes leverage an infrastructure of external scripts that call on Rovnix’s elaborate webinjections.

Learn more about Staying ahead of threats with global threat intelligence

Webinjections Help Rovnix Succeed

The injection mechanism used by Rovnix is a commercial offering that was sold to cybercriminals in the underground by a developer who specializes in creating injections that perfectly mimic the look and feel of the targeted bank’s Web pages. They even adapt the flow of events to the target’s authentication scheme.

The webinjections facilitate the display of social engineering content on the bank’s Web pages as viewed from the infected user’s browser. For each bank, the injections used by Rovnix modify large parts of the original page, which is designed to trick the victim into divulging the second password or token for the ensuing fraudulent transaction.

In some cases, Rovnix further deploys injections that instruct victims to download an Android app onto a mobile device. That app contains Rovnix’s SMS hijacker. The Rovnix in the mobile app will then listen for incoming SMS messages containing transaction authorization codes from the bank.

The mix of language-specific social engineering and mobile malware proves that the gang behind Rovnix has adequately prepared for the campaigns with all the necessary means for defrauding Japanese victims.

Rovnix’s operators come to Japan at a time when attacks from Shifu seem to have died down. While it is not clear why the Shifu gang has slowed down its attacks in Japan, the territory still appears ripe and lucrative to other organized cybercrime gangs hailing from Eastern Europe.

A Global Perspective

Thanks to its bootkit feature, Rovnix is considered to be a highly persistent malware. In terms of Rovnix’s ranking on the global malware list this year, IBM X-Force data shows that Rovnix has climbed into the top 10 global malware list after the botnet takedown of NGRbot (aka DorkBot). Rovnix’s global reach is limited when compared with other malware like Dyre or Neverquest because it usually focuses attacks on one country at a time.

The chart below shows Rovnix’s ranking among the top offenders on the financial malware roster for the year of 2015 based on IBM Trusteer data.

Top attacking financial malware families in 2015 (Source: IBM Trusteer)

At the time of this writing, the Rovnix sample analyzed by IBM X-Force is only properly detected as Rovnix by four antivirus vendors out of 54, or 7 percent.

What’s Next for Japan?

Up until 2015, Japan was relatively protected from the banking Trojan revolution that has been affecting banks since the early 2000s thanks in large part to its language. That grace period came to an end when organized cybercrime, with ample funding for a new project, emerged in the Asia-Pacific region.

Starting in the summer of 2015, Japan began seeing some of the world’s most sophisticated banking Trojans attack banks in the country. From Japan-focused codes such as Tsukuba to the highly modular Shifu and now Rovnix, it is clear that the Japanese financial sector is under attack. It is now recognized as a lucrative target to cybercriminals from Japan and Eastern Europe.

IBM X-Force researchers expect Rovnix to continue its attacks in Japan and intensify campaigns in the country. We also expect to see other privately held malware gangs from within the country and Eastern Europe target financial entities in Japan.

IBM Security Trusteer has worked with customers to study and stop Rovnix attacks and can be of help to banks that wish to learn more about this high-risk threat. To stop threats like Rovnix, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in your region.

On the bank’s side, fighting evolving threats like Rovnix’s bootkit variants is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Learn why global threat intelligence is critical in the fight against web fraud

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.