Oana Murarasu, Security Software Engineer at Ixia
Security Software Engineer at Ixia

Rovnix, Strikes Again

January 27, 2016 by Oana Murarasu

What's Rovnix?

Rovnix represents a piece of malware that has been seen in the wild for almost five years. This malware is a banking Trojan that depends on web injections in order to harvest information about a victim. The web injections’ intent may differ from misleading a victim into providing data for confirming all kinds of transactions to convincing users to install certain applications that are later used to capture codes/passwords or any other information supporting transactions authorization. Thus the targeted information consists of banking accounts that would enable stealing money.

Aside from stealing passwords and logging keystrokes, Rovnix also has backdoor abilities. This is why this malware symbolizes a great threat to your business.

Rovnix spreads via emails infected with Andromeda downloader. If these emails’ attachments get executed, Rovnix is downloaded and executed on the target machine where its objective is to gather private data. Early editions of malware used to extract data from infected machines through unencrypted communications but this changed in the versions seen in the last 2 years which use encryption.

Rovnix made it to the top 10 financial malware list in 2015 due to the number of infections. After being seen in several countries, one by one, at the end of last year, it was spotted spreading across yet another country. Japan seems to be the new target and the malware has been of course customized accordingly. The malicious emails that were sent are written in Japanese and the malware is individualized per targeted bank with custom features that work better in enticing a person into running the desired executable file. On an infected PC, the malware injects code into several Japanese banks login pages. When victims access their accounts, a man-in-the-middle attack is performed which provides access to the victims’ funds. Rovnix also handles the scenarios in which banks use one-time login passwords that can be sent via text messages. In this case, the victims are tricked into downloading and installing Android phone applications, which would enable the delivery of the needed passwords. On the other hand, if the malware gets installed on a machine that does not do online transactions, it executes ransomware as an alternative, locking up the pc and requesting recompense in order to unlock it.

Rovnix embodies a threat in continuous development over customized features that seems to be targeting new territories and that companies need to be protected against. IXIA provides a sample of the Rovnix malware in the Ixia January 2016 Malware Monthly Package Update.

-- Oana Murarasu, ATI Security Researcher