Poland and Norway users affected by malicious campaigns

Oct 10, 2014 13:30 GMT  ·  By

Malware authors have modified Rovnix malware to include better anti-detection capabilities and use it in malicious campaigns against countries in Europe.

Among the changes in the latest variant, there is a new domain generation algorithm (DGA) and the implementation of random generation of file names for its files.

Security researchers know Rovnix to integrate a bootkit component that allows execution of the malicious program before the operating system starts loading. This means that the machine is compromised well before the user sees the desktop screen, making detection more difficult.

However, it appears that the bootkit component has been removed from the latest variant and only a user-mode component is now supported.

Improving on the evasion capabilities

One of the modifications in the new Rovnix is a changed protocol that permits avoiding detection by patterns, says Peter Kruse, security specialist with CSIS in Denmark. But all is not lost, since the expert noticed that the first letter in the file names can help detect the configuration, task and data files.

“In the latest Rovnix variant, the author changed the protocol in order to avoid traffic detection by patterns. So now, it is generating a random file name, of which only the first letter is of importance. It can be one of the following three: ‘c’ for config.php , ‘t’ – for task.php and ‘d’ – for data,” the researcher writes in a blog post.

Additional features observed by the researchers include the use of fast flux and encrypted communication with the command and control server.

Different samples used in multiple campaigns

The researchers spotted the new strain in three campaigns where multiple samples were used, each of them having slight modifications such as the one mentioned above.

In an operation targeting Poland, the malware resorts to a DGA to make contact with the command and control (C&C) server and relies on base64 encoding.

Another sample, used in a different campaign, protects communication with the C&C by encrypting it.

In a third campaign, targeting users in Norway, the malicious actors added a key for encryption and did not use CAM compression, as it happened in the case of the attack against Polish users.

Furthermore, a new control panel version is employed for managing the malware and the infected computers. Luckily, the researchers found a manual written in Russian that explains how it can be set up. Kruse believes that this happened because of a publicly exposed bug in the previous version of the administration software.