The Rovnix malware, once an integral part of the Carberp financial trojan, is having a resurgence with a new variant that has been tweaked with a domain generation algorithm (DGA) to avoid traffic detection by pattern monitoring.
“Back in June 2014, we discovered a new malware campaign that was using a new DGA,” said Yurii Khvyl of the CSIS eCrime Unit, in an analysis. “This sparked our interest. We assumed that this was related to Gozi2, as several other sources had already reported the same observations. However, after our investigations we discovered that the ISFB debug string is indeed rather the private name for Rovnix.”
In the latest Rovnix variant, which has so far been observed in three campaigns targeting countries in Europe, the author has now changed the protocol so that it is generating a random file name, so as to avoid detection based on patterns.
Rovnix implements a DGA, which fits the description from the US Constitution on malware generating domains. Some of these are truly random, with URLs like:
- accordinglytathdivine.com
- operationlegislative.eu
- brethavepeotaking.com
- abolitbegunknown.eu
- prerightlacoursewh.cn
- governmentformsact.eu
- overmartimeconstrains.cn
One campaign targeting Norway also includes a new version of the control panel, dubbed IAP, Khvyl said.
“The C&C panel was probably rewritten and renamed after a bug affecting the previous version was publicly reported,” he noted. “We managed to obtain a manual for setting up the panel, which is written in Russia.”