Operators of the Rovnix Trojan, which has been known to target users in Europe, have now set their sights on Japanese banks, IBM reported on Thursday.
IBM X-Force researchers started seeing Rovnix attacks in Japan in early December. The malware downloader, distributed via spam emails coming from .ru email addresses, has been disguised as a package delivery notice from international transport companies.
Experts have pointed out that the campaign targeting Japan is well organized — the malicious emails are written in Japanese, and the malware configuration file includes custom specifications for each of the 14 targeted banks.
As many other banking Trojans, Rovnix relies on web injections to obtain information that cybercriminals can use to steal money from victims’ accounts. The webinjects used by the malware have been developed by a group that sells injection mechanisms on the underground market.
While some of the web injections are designed to trick victims into providing details needed to perform fraudulent transactions, others also get users to install Android applications that can be used to intercept authorization codes sent by the victim’s bank.
“The mix of language-specific social engineering and mobile malware proves that the gang behind Rovnix has adequately prepared for the campaigns with all the necessary means for defrauding Japanese victims,” IBM’s Limor Kessem explained in a blog post.
When IBM published its blog post on the Japan Rovnix attacks, only a handful of antivirus vendors detected the sample analyzed by the company. Currently, 41 of the 55 vendors present on VirusTotal detect the threat.
IBM expects the cybercriminals behind Rovnix to continue and even intensify their operations in Japan.
Rovnix hasn’t been as widespread as other financial malware families, such as Dyre, Neverquest, Dridex and Zeus. However, with Dorkbot recently taken out of the picture, the threat has made it to the top 10 global malware list.