Operators of the Rovnix Trojan, which has been known to target users in Europe, have now set their sights on Japanese banks, IBM reported on Thursday.
IBM X-Force researchers started seeing Rovnix attacks in Japan in early December. The malware downloader, distributed via spam emails coming from .ru email addresses, has been disguised as a package delivery notice from international transport companies.
Experts have pointed out that the campaign targeting Japan is well organized — the malicious emails are written in Japanese, and the malware configuration file includes custom specifications for each of the 14 targeted banks.
As many other banking Trojans, Rovnix relies on web injections to obtain information that cybercriminals can use to steal money from victims’ accounts. The webinjects used by the malware have been developed by a group that sells injection mechanisms on the underground market.
While some of the web injections are designed to trick victims into providing details needed to perform fraudulent transactions, others also get users to install Android applications that can be used to intercept authorization codes sent by the victim’s bank.
“The mix of language-specific social engineering and mobile malware proves that the gang behind Rovnix has adequately prepared for the campaigns with all the necessary means for defrauding Japanese victims,” IBM’s Limor Kessem explained in a blog post.
When IBM published its blog post on the Japan Rovnix attacks, only a handful of antivirus vendors detected the sample analyzed by the company. Currently, 41 of the 55 vendors present on VirusTotal detect the threat.
Rovnix is not the only banking Trojan targeting Japan. In the past, experts spotted attacks leveraging Brolux, Neverquest, Tsukuba, and Shifu, which seems to have died down recently.
IBM expects the cybercriminals behind Rovnix to continue and even intensify their operations in Japan.
Rovnix hasn’t been as widespread as other financial malware families, such as Dyre, Neverquest, Dridex and Zeus. However, with Dorkbot recently taken out of the picture, the threat has made it to the top 10 global malware list.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
- Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency
- US Charges Two Men Over Use of Hacked Law Enforcement Database for Doxing
- Chinese Cyberspies Hacked DLP Company Serving Military, Government Orgs
Latest News
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
