Written by: Bernadette Irinco

Japan accounted for 12% of the total number of online banking malware detections in 3Q 2015, making it one of the top countries largely affected by banking malware. In the past, we reported threats like VAWTRAK, DRIDEX, Gameover, and TROJ_WERDLOD that also targeted Japanese bank users. The increasing number of people using online banking systems in Japan could be one of the factors that made Japan a target of online banking threats.

Figure 1. Top countries affected by online banking malware in 4Q 2015

ROVNIX first emerged in the wild in 2014; it became known for its capability to run malicious rootkit drivers into the drive. However, newer variants now utilize Virtual File Allocation Table (VFAT), which are unallocated space in the disk. This then enables the malicious driver to avoid detection and, consequently, removal from the system. The ‘resurgence’ of this threat comes with new targets as well as routines and capabilities.

What regions are affected by ROVNIX?

ROVNIX is a bootkit with information-stealing and backdoor capabilities which initially targeted users in Europe and Middle East Asia (EMEA) region since September 2014. Recently, ROVNIX was found to hit certain Japanese banks too.

How do ROVNIX variants arrive on user systems?

Users can download ROVNIX variants via a malicious URL from spammed emails. Similar to DRIDEX, this malware also spreads through the use of malicious macros as part of its social engineering ploys. However, unlike CRIDEX (DRIDEX’s predecessor), ROVNIX’s macros that trigger the malicious code is password-protected. This could make analysis and, subsequently, detection difficult.

Figure 2.Sample spammed message

What happens when users execute ROVNIX variants on their systems?

While the routines of each variant of ROVNIX may vary, it typically modifies and installs a malicious Initial Program Loader (IPL) which loads at every system startup. In addition, such routine enables the rootkit to load automatically at system reboot. It also has the capability of adding malicious code onto NTFS drivers. As such, ROVNIX will load prior to the OS, which could mean that security solutions cannot immediately detect its presence in the system.

However, the newer ROVNIX variants occupy spaces in the disk known as Virtual File Allocation Table (VFAT). And so, this makes it easier to find since it employs physical file. Based on our analysis, there are two ways to execute the payload, even if the disk is protected or not:

  • It drops the ROVNIX payload as a .DLL file, creates an autostart registry, and then executes the .DLL payload
  • If the disk is unprotected, it changes the privileges: SeLoadDriverPrivilege (for installing and removing drivers for plug and play devices) and eShutdownPrivilege (for shutting down the system). It also drops copies of itself and creates autostart registry entries. Afterward it searches for partitions in MBR, VBR, and IPL,then modifies the IPL with a malicious code. This is a good autostart mechanism because putting it in IPL mode will immediately load the malware during system reboot.

Newer variants of ROVNIX can exploit vulnerabilities addressed in CVE-2013-3660, CVE-2014-4113, and CVE-2015-1701. These vulnerabilities are related to Win32k.sys and can result to escalation of privileges once successfully exploited. As such, attackers can install ROVNIX onto systems.

It also gathers data such as OS name, file system format, etc., which are then sent to its C&C servers. Furthermore, these malicious servers send details like new sets of C&C servers and binary files. One of the interesting routines of ROVNIX is how it connects to C&C servers via an HTTP connection or I2P connection to make detection arduous.

Why is this threat noteworthy?

Unlike DRIDEX, VAWTRAK, and ZeuS Gameover, ROVNIX can execute at the kernel level, thus leaving attackers and cybercriminals free to do anything on the infected system – whether it’s stealing critical data or downloading other malware onto the system. Apart from compromising the security of the system, this threat also exploits Win32k vulnerabilities and can instantly change its C&C servers, making ROVNIX a prevalent threat. In addition, it also hooks Major I/O Request Packets (IRP) functions for its own protection and for it to gain access to other data on the system.

During our analysis, we found semblances in the source code of CARBERP - a family of Trojans that also steals credentials. Both malware can drop the bootkit, which is the main malware. We surmise that the CARBERP source code leak could be one factor for their similar, almost identical behaviors. It’s also possible that the cybercriminals behind ROVNIX bought the source code for CARBERP since its codes are on sale in the underground market.

Are Trend Micro users protected from this threat?

Yes. Trend Micro secures its customers via its Smart Protection Network that detects TROJ_ROVNIX_YPOT , other ROVNIX variants, and its infection vectors like spam and malicious URL. It also blocks all known related C&C servers. We advise users to remain vigilant especially in opening emails even if those emails came from legitimate sources. It is also best to have a security solution that can protect systems from threats that can steal information and perhaps use it for nefarious means.