Data443 & Cyren
Products
- - - Products
    - For OEMs
    - Malware Detection
    - Malware Analysis
    - URL Categorization
    - Email Security
    - Threat Intelligence
    - For Enterprises
    - Malware Analysis
    - Inbox Security for Office 365
    - Threat Intelligence
  - - In the News
      
      Online Businesses Become a Phisher’s Playground
      Not nearly enough businesses have deployed sufficient security measures against phishing attacks through website builders and CMS platforms.Read Article on DarkReading >
      
      Go to Newsroom >
Solutions
- - - Expert Support
      
      Cyren’s dedicated security analysts have the expertise to deeply investigate sophisticated threats – their embedded documents and messy code.
      
      And from their vantage point across companies, geographies, and industries, analysts can track emerging attack vectors and prevent breaches.
      
      “For any false positive or user reported items, we do not need to be involved. Cyren’s dedicated team is on top of all these items.”
      
      via Gartner Peer Insights
Resources
- - - Recent Posts
      - Analyzing behavior to protect against BEC attacks December 22, 2022
      - Using NLP techniques to protect against BEC attacks December 8, 2022
      - Phishing with QR codes December 1, 2022
Company
- - - Company
    - About Cyren
    - Careers
    - Management
    - In the News
    - Contact Us
  - - In the News
      
      Online Businesses Become a Phisher’s Playground
      Not nearly enough businesses have deployed sufficient security measures against phishing attacks through website builders and CMS platforms.Read Article on DarkReading >
      
      Go to Newsroom >
BOOK A DEMO

Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

No Hidden camera on fake Youtube/Vimeo pages – only hidden malware

Last week, CYREN detected interesting emails that contained links to fake video pages. We have included a screenshot of the email. The rough translation of the subject line is “hidden camera in their house”, and the Youtube link looks like it might deliver the goods – but of course the only hidden part is the Rovnix banking Trojan.

Clicking the link in the email will lead to one of several “youtube.com” links – but the actual domain is “beizhanliu.com”. The malicious URL’s vary and we gathered the following list:

The YouTube link that opens a Vimeo page should be a giveaway that all is not well but we assume enough users proceed to the next step. Once the page opens it suggests download of a “Missing Adobe Flash Plugin” which is actually a Rovnix BankingTrojan.

The downloaded file named “install_flashplayer14_mssa_aaa_aih.exe” is already detected by our heuristic signature “W32/Rovnix.A.gen!Eldorado “. Upon execution, it creates a copy of itself to the following location:

%System%[randomchars].exe

It also creates the following autorun registry entry so that it will run at windows startup:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

[randomchars] = “%System%[randomchars].exe”

This new variant of Rovnix connects to the following C&C Servers that is hardcoded in the decrypted “.reloc” section of the malware:

In order to hide itself from the process it injects malicious code into the normal process “explorer.exe”. It also injects code into the following browsers to steal data, keystrokes, usernames and passwords:

In this Rovnix variant, the information data to be sent to C&C is encrypted with pseudo-ramdom algorithm and encoded with base64 in order to avoid detection in the traffic network.

Legend:

“/c[random_chars].php” – stands for /config.php

“/t[randomchars].php” – stands for /task.php

“/d[randomchars].php” – stands for /data.php

Decrypted Information Data:

The Rovnix Bot Version is 2.13.425.

Rovnix poses a critical security risk to computers. Keeping your antivirus definitions up to date, will protect you from Banking Trojans such as this.

Feb 13, 2015 | Security Research & Analysis

Categories

You might also like

Analyzing behavior to protect against BEC attacks

Business Email Compromise

Understanding “normal” behaviors in email exchanges are key to combating advanced phishing and BEC attacks by John Stevenson Detecting Business Email Compromise (BEC) In the final part of our series of blogs on Business Email Compromise (BEC), it’s time to look at how...

Using NLP techniques to protect against BEC attacks

Business Email Compromise, Office 365, Phishing

How Natural Language Programming help combat phishing and BEC attacks by John Stevenson Business Email Compromise (BEC) Business Email Compromise (BEC) covers a range of email attacks that typically share a common core attribute. There is no obvious executable...

Phishing with QR codes

Phishing, Security Research & Analysis

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...