Security researchers at IBM’s X-Force have identified a worrying new Rovnix malware strain that is being used in a spate of cyberattacks on Japanese banks.
Rovnix malware is nothing new. It has been around for a couple of years but it is now ranking as one of the top ten most popular malware strains to be used for attacks on financial institutions. It may not be used nearly as often as Dyre, Neverquest, Dridex, Zeus or Gozi, – the top 5 malware currently being used by cybercriminals – but it is particularly nasty and is highly persistent. Worse still, the new strain of the malware is only recognized by 7% of anti-virus software vendors.
New Rovnix Malware Strain Is Particularly Worrying for Japan’s Banks
The latest wave of attacks on Japanese banks signal a major departure from the usual attacks being conducted by cybercriminal gangs in Europe. Previously, they have concentrated on attacking European banks and Japan has been left well alone. That is no longer the case. In fact, IBM’s X-Force has described the latest wave of attacks as “an onslaught.” The criminal gang behind the latest Rovnix malware attack has already targeted 14 Japanese banks since the start of December last year.
The language barrier has prevented cybercriminal gangs from targeting Japans banks in the past, but they have now got around the problem and have developed their campaign in Japanese. Each campaign has been tailored for each of the banks under attack.
As with campaigns conducted in Europe, the primary means of malware delivery is spam email. A spam message contains a zip file with a fairly innocuous waybill detailing the delivery of a parcel from a courier company. Opening the attachment and viewing the waybill will result in a downloader being launched that will load Rovnix malware onto a device.
Highly Sophisticated Rovnix Malware Defeats Two-Factor Authentication
One of the most worrying features of Rovnix malware is its elaborate web injection mechanism which mimics the banks web pages. When an end user visits the bank’s webpage the malware injects Javascript and shows the user modified sections of the banks webpage. Login credentials are stolen, but crucially, so is the second password which enables a transaction to be conducted.
More worrying is some users are being prompted to download an app to their mobile phone. Doing that will result in their SMS messages being compromised. When the bank sends an authorization code to the mobile device, the cybercriminals will use that code to authorize a fraudulent transfer, defeating the two-factor authentication used by the bank.
Rovnix malware tends to be used to target one country at a time, but that may not necessarily always be the case. It can be quickly and easily adapted to attack any country’s banks. Rovnix malware is highly sophisticated and can be tailored to attack different institutions and evade detection. Even before the malware is installed, it can scan a device and determine which security protections are installed. It then uses a wide range of mechanisms to evade detection.
