Researchers at IBM X-Force spotted the cybergang that controls the Rovnix Trojan launching an aggressive campaign against 14 major Japanese Banks.
The campaign has been active since December 2015 and infects users with the trojan via a downloader hidden in a socially engineered email claiming to be from an international transport company, according to the Jan. 7 threat post. The email is designed to trick victims into downloading the malicious attachment disguised as a waybill.
|Photo Courtesy of securityintelligence.com|
Once a user is infected, the trojan uses a web injection mechanism that perfectly mimics the look and feel of the bank webpages in order to trick the victim into divulging the second password or token for the ensuing fraudulent transaction, the report said.
Researchers also witnessed instances when the trojan deployed injections instructing victims to download an Android mobile app containing the Rovnix’s SMS hijacker. The malicious app would then listen for incoming SMS messages from the bank in search of transaction authorization codes.
“The mix of language-specific social engineering and mobile malware proves that the gang behind Rovnix has adequately prepared for the campaigns with all the necessary means for defrauding Japanese victims,” researchers said in the post.
The cybergang responsible for the campaign has also launched similar attacks on European banks as well. Researchers said only four out of 54 antivirus vendors properly detected the Rovnix Trojan at the time the post was written.