Rovnix bootkit returns with new features
The notorious Rovinx bootkit – a malicious program created to load and protect malware from detection – has reared it’s ugly head again.
It was found by Kaspersky researchers in a campaign that was exploiting the COVID-19 pandemic. However, this new version has been upgraded and features an unusual loader, delivering a backdoor with Trojan-spyware capabilities to victims’ computers.
The Rovnix bootkit faded away in 2013 when its source code was leaked, making it available for analysis by security vendors and pretty much anyone else. Then, in mid-April 2020, Kaspersky’s threat monitoring systems detected malicious files containing the famous bootkit.
The bootkit was distributed via the file "on the new initiative of the World Bank in connection with the coronavirus pandemic.exe" – a self-extracting archive that serves up a doc file and an executable malicious file.
The document contained information about a new initiative from the World Bank and real individuals related to the organisation were cited as authors in the metadata. Once opened the file would load the bootkit and start the infection process.
The new Rovnix version featured a number of enhancements, including a user account control (UAC) bypass mechanism, elevation of privileges on a device, and a loader that isn’t normally associated with this specific bootkit.
Analysis of detected files revealed that the payload was in fact a backdoor with Trojan-spy elements, meaning that once installed on the infected device, the bad actor would have access to the device and could also collect various types of information.
Alexander Eremin, a security analyst at Kaspersky, says this threat shows us two things: that we can never be sure that an old threat will not return, and that cyber criminals really do adapt quickly.
“Our analysis shows that once the source code of a threat goes public, it can result in surprises, as in the case with Rovnix. Freed from the need to develop their own protection-bypassing tools from scratch, cyber criminals can pay more attention to the capabilities of their own malware and add extra ‘goodies’ to the source code.”