In April 2020, Kaspersky researchers saw the return of the well-known Rovinx bootkit – a malicious program created to load and protect malware from detection – in a campaign that exploited the pandemic. Upgraded and featuring an unusual loader, the bootkit delivered a backdoor with Trojan-spyware capabilities to victims’ computers.
The Rovnix bootkit was very popular until its source code was leaked back in 2013, making it available for analysis by all security vendors and other interested parties. However, in mid-April 2020, Kaspersky’s threat monitoring systems detected malicious files containing the famous bootkit. It was being distributed under the name “on the new initiative of the World Bank in connection with the coronavirus pandemic” in Russian, which contained the well-known threat.
The bootkit featured a number of improvements such as a User Account Control (UAC) bypass mechanism, elevation of privileges on a device, and a loader that isn’t usually associated with this specific bootkit. The analysis of detected files showed that the payload was in fact a backdoor with Trojan-Spy elements, meaning that once installed on the infected device, the attacker would have access to the device and could also collect various types of information.
The bootkit was distributed via the file “on the new initiative of the World Bank in connection with the coronavirus pandemic.exe” – a self-extracting archive that serves up a doc file and an executable malicious file. To make it even more convincing, the document contained information about a new initiative from the World Bank, and real individuals related to the organization were cited as authors in the metadata. However, once opened the file would load the bootkit and start the infection process.
“This example shows two things. Firstly, that we can never be sure that an old threat will not return, and secondly, cybercriminals really do adapt quickly – they are more agile in the tools they use and do not restrain from jumping on ‘hot’ topics. Our analysis shows that once the source code of a threat goes public, it can result in surprises, as in the case with Rovnix. Freed from the need to develop their own protection-bypassing tools from scratch, cybercriminals can pay more attention to the capabilities of their own malware and add extra ‘goodies’ to the source code” – comments Alexander Eremin, security analyst at Kaspersky.
To protect yourself from threats such as Rovnix, Kaspersky recommends users:
• Do not download files or open attachments received from untrusted sources
• Use a reliable security solution such as Kaspersky Total Security.
Learn more details about Rovnix and its technical analysis on Securelist.com.