IBM X-Force researchers have discovered that the cybercrime gang operating the Rovnix Trojan has launched an aggressive new infection campaign in Japan.

Rovnix is the latest advanced malware to set its sights on Japan. Before it came the Shifu Trojan, which initiated attacks in Japan in August 2015. The gang that operates Rovnix is known to focus on European banks, but its current campaigns in Japan are nothing short of an onslaught, with 14 major brands on the target list.

About Rovnix

The infection campaigns, the first of which appeared in early December 2015, leverage malware-laden email messages, delivering Rovnix’s downloader concealed inside benign-looking .zip attachments. The spam itself comes from email addresses on .ru domains. It uses one of the most common ploys: a package delivery from international transport companies, urging recipients to open a waybill (Figure 1, below). That unwitting action covertly launches Rovnix’s downloader from the archive .zip attachment.

According to IBM X-Force researchers, Rovnix came to the Japanese battlefield highly prepared, with crafty email spam written in Japanese and a hefty configuration file that was fully and uniquely adapted to attack major banks.

Inside Rovnix’s Japan-specific configuration, our researchers have found attack schemes tailored to each targeted bank. The schemes leverage an infrastructure of external scripts that call on Rovnix’s elaborate webinjections.

Learn more about Staying ahead of threats with global threat intelligence

Webinjections Help Rovnix Succeed

The injection mechanism used by Rovnix is a commercial offering that was sold to cybercriminals in the underground by a developer who specializes in creating injections that perfectly mimic the look and feel of the targeted bank’s Web pages. They even adapt the flow of events to the target’s authentication scheme.

The webinjections facilitate the display of social engineering content on the bank’s Web pages as viewed from the infected user’s browser. For each bank, the injections used by Rovnix modify large parts of the original page, which is designed to trick the victim into divulging the second password or token for the ensuing fraudulent transaction.

In some cases, Rovnix further deploys injections that instruct victims to download an Android app onto a mobile device. That app contains Rovnix’s SMS hijacker. The Rovnix in the mobile app will then listen for incoming SMS messages containing transaction authorization codes from the bank.

The mix of language-specific social engineering and mobile malware proves that the gang behind Rovnix has adequately prepared for the campaigns with all the necessary means for defrauding Japanese victims.

Rovnix’s operators come to Japan at a time when attacks from Shifu seem to have died down. While it is not clear why the Shifu gang has slowed down its attacks in Japan, the territory still appears ripe and lucrative to other organized cybercrime gangs hailing from Eastern Europe.

A Global Perspective

Thanks to its bootkit feature, Rovnix is considered to be a highly persistent malware. In terms of Rovnix’s ranking on the global malware list this year, IBM X-Force data shows that Rovnix has climbed into the top 10 global malware list after the botnet takedown of NGRbot (aka DorkBot). Rovnix’s global reach is limited when compared with other malware like Dyre or Neverquest because it usually focuses attacks on one country at a time.

The chart below shows Rovnix’s ranking among the top offenders on the financial malware roster for the year of 2015 based on IBM Trusteer data.

At the time of this writing, the Rovnix sample analyzed by IBM X-Force is only properly detected as Rovnix by four antivirus vendors out of 54, or 7 percent.

What’s Next for Japan?

Up until 2015, Japan was relatively protected from the banking Trojan revolution that has been affecting banks since the early 2000s thanks in large part to its language. That grace period came to an end when organized cybercrime, with ample funding for a new project, emerged in the Asia-Pacific region.

Starting in the summer of 2015, Japan began seeing some of the world’s most sophisticated banking Trojans attack banks in the country. From Japan-focused codes such as Tsukuba to the highly modular Shifu and now Rovnix, it is clear that the Japanese financial sector is under attack. It is now recognized as a lucrative target to cybercriminals from Japan and Eastern Europe.

IBM X-Force researchers expect Rovnix to continue its attacks in Japan and intensify campaigns in the country. We also expect to see other privately held malware gangs from within the country and Eastern Europe target financial entities in Japan.

IBM Security Trusteer has worked with customers to study and stop Rovnix attacks and can be of help to banks that wish to learn more about this high-risk threat. To stop threats like Rovnix, banks and service providers can use adaptive solutions to detect infections and protect customer endpoints when malware migrates or finds new focus in your region.

On the bank’s side, fighting evolving threats like Rovnix’s bootkit variants is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Learn why global threat intelligence is critical in the fight against web fraud

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…