Rovnix Variant Surfaces With New DGA

Researchers have unearthed a new version of the Rovnix malware that has a couple of additional features, including a new domain generation algorithm and a secure transmission channel for communicating with the command-and-control servers.

Rovnix is a malware variant that often has been distributed by other kinds of malware. Last year Microsoft warned users about a campaign that involved the Upatre malware, which typically is delivered through spam messages. Once installed on a new machine, Upatre sometimes will reach out to its C2 server and download Rovnix. That malware then will try to inject itself into the explorer.exe process.

The newer version of Rovnix, analyzed by researchers at CSIS in Denmark, has some differences from the older variants. Peter Kruse of CSIS said that the Rovnix creators have made changes to help evade detection by various security products.

“In the latest Rovnix variant, the author changed the protocol in order to avoid traffic detection by patterns. So now, it is generating a random file name, of which only the first letter is of importance. It can be one of the following three: “c” for config.php , “t” – for task.php and “d” – for data,” the analysis says.

Kruse said that the newest version of Rovnix has been seen in several campaigns targeting users in various European countries, including Norway and Poland. There are subtle differences among each of the campaigns that have been detected, including one that uses fast flux and encryption to protect its communications with the C2 server. CSIS found a copy of the user manual for Rovnix written in Russian that describes how to set up the new Web control panel for the malware.

“In the current campaign targeting Norway, a new version of the control panel, dubbed “IAP”, is used. The C&C panel was probably rewritten and renamed after a bug affecting the previous version was publicly reported,” Kruse said.

Suggested articles