SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
10 Nov 2014

Rovnix variant surfaces with new DGA

Researchers have unearthed a new version of the Rovnix malware that has a couple of additional features, including a new domain generation algorithm and a secure transmission channel for communicating with the command-and-control servers.

Rovnix is a malware variant that often has been distributed by other kinds of malware. Last year Microsoft warned users about a campaign that involved the Upatre malware, which typically is delivered through spam messages.

Once installed on a new machine, Upatre sometimes will reach out to its C2 server and download Rovnix. That malware then will try to inject itself into the explorer.exe process. The newer version of Rovnix, analyzed by researchers at CSIS in Denmark, has some differences from the older variants. Peter Kruse of CSIS said that the Rovnix creators have made changes to help evade detection by various security products.

“In the latest Rovnix variant, the author changed the protocol in order to avoid traffic detection by patterns. So now, it is generating a random file name, of which only the first letter is of importance. It can be one of the following three: “c” for config.php , “t” – for task.php and “d” – for data,” the analysis says.

Kruse said that the newest version of Rovnix has been seen in several campaigns targeting users in various European countries, including Norway and Poland. There are subtle differences among each of the campaigns that have been detected, including one that uses fast flux and encryption to protect its communications with the C2 server.

CSIS found a copy of the user manual for Rovnix written in Russian that describes how to set up the new Web control panel for the malware. “In the current campaign targeting Norway, a new version of the control panel, dubbed “IAP”, is used. The C&C panel was probably rewritten and renamed after a bug affecting the previous version was publicly reported,” Kruse said.

Tags:
Rovnix Windows information leaks Trojan
Source:
Threatpost
2028
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015