14 DAY TRIAL // Japanese users are facing one of the most advanced banking trojans currently on the market, the sneaky Rovnix banking malware that has been seen only targeting European countries until now.
Rovnix and its creators, who made a name for themselves in 2014, have moved on from the European market and are now targeting the users of Japan's 14 biggest banks.
The Rovnix malware is a dangerous threat that is very well equipped to mimic the Web logins of various banking applications and collect sensitive financial information.
Rovnix only targets Japanese banks in its latest campaign
According to IBM's X-Force researchers, this particular version of Rovnix that's being deployed against Japanese users has been specifically updated to target only 14 banks and nothing more.
Furthermore, the researchers also found that Rovnix's authors seem to have purchased a Web injections package from the dark market, capable of adapting to each banking portal's layout.
"The webinjections facilitate the display of social engineering content on the bank’s Web pages as viewed from the infected user’s browser," IBM explains. "For each bank, the injections used by Rovnix modify large parts of the original page, which is designed to trick the victim into divulging the second password or token for the ensuing fraudulent transaction."
Additionally, in some cases, the Web injections package also lures users into downloading a malicious Android banking app, which allows the Rovnix authors to intercept SMS authorization codes when they breach the account and make fraudulent transactions.
Rovnix is spread via spam emails coming from a .ru domain
As with all banking malware, infection occurs when users open attachments received via spam email. In Rovnix's case, the criminals behind this campaign are using booby-trapped archives that download and install the malware. Rovnix is boot persistent, meaning it will survive PC restarts and remain for many weeks, months, or years on infected systems.
All the spam emails are written in Japanese but are coming from a .ru (Russia) domain.
This past autumn, Japanese users were the target of another banking trojan named Shifu. IBM reports that, while Shifu infections have died down, the new Rovnix threat has emerged in its place starting early December 2015.
Currently, IBM X-Force reports that Rovnix is the ninth-ranked cyberthreat, but this is because it only targets one country at a time and doesn't use a shotgun approach, as the malware ranked above it does.
