Rovnix bootkit returns during pandemic with new features

Kaspersky researchers have detected the return of the well-known Rovinx bootkit – a malicious program created to load and protect malware from detection – in a campaign that exploited the pandemic. Upgraded and featuring an unusual loader, the bootkit delivered a backdoor with Trojan-spyware capabilities to victims’ computers.

The Rovnix bootkit was very popular until its source code was leaked in 2013, making it available for analysis by all security vendors and other interested parties. However, in mid-April 2020, Kaspersky’s threat monitoring systems detected malicious files containing the famous bootkit. It was being distributed under the name "on the new initiative of the World Bank in connection with the coronavirus pandemic" in Russian, which contained the well-known threat.

The bootkit featured a number of improvements such as a User Account Control (UAC) bypass mechanism, elevation of privileges on a device, and a loader that isn’t usually associated with this specific bootkit. The analysis of detected files showed that the payload was in fact a backdoor with Trojan-Spy elements, meaning that once installed on the infected device, the attacker would have access to the device and could also collect various types of information.

The bootkit was distributed via the file "on the new initiative of the World Bank in connection with the coronavirus pandemic.exe" – a self-extracting archive that serves up a doc file and an executable malicious file. To make it even more convincing, the document contained information about a new initiative from the World Bank, and real individuals related to the organization were cited as authors in the metadata. However, once opened the file would load the bootkit and start the infection process.

 “This example shows two things,” comments Alexander Eremin, security analyst at Kaspersky. “Firstly, that we can never be sure that an old threat will not return, and secondly, cybercriminals really do adapt quickly – they are more agile in the tools they use and do not restrain from jumping on ‘hot’ topics. Our analysis shows that once the source code of a threat goes public, it can result in surprises, as in the case with Rovnix. Freed from the need to develop their own protection-bypassing tools from scratch, cybercriminals can pay more attention to the capabilities of their own malware and add extra ‘goodies’ to the source code.”

To protect yourself from threats such as Rovnix, people should not download files or open attachments received from untrusted sources. Users should also use a reliable security solution for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud.

Learn more details about Rovnix and its technical analysis on Securelist.com.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.