This article is more than 1 year old

Crafty booby-trapped invoice malware empties Japanese bank accounts

And only 7 per cent of antivirus packages can block it

IBM's X-Force security team is warning of new malware preying on Japanese bank customers. The software nasty is stealthy enough to evade the vast majority of antivirus packages, we're told.

Japanese banks have been something of a low priority for crooks, given the difficulties of performing social engineering tricks using a language that's alien to the vast majority of cyber-crims. Having said that, the Land of the Rising Sun is coming under increasing attack, and this latest one is particularly sneaky.

The scam uses carefully crafted Japanese-language emails that include ZIP files seemingly coming from Russian .ru domains. As well as containing fake invoices, the folders also include the Rovnix malware kit – a complex app suite that has begun circulating on darknet forums.

Once a Windows PC has been infected – usually by a hapless user opening the booby-trapped invoice to trigger the malware's execution – the software nasty injects JavaScript into the login webpages for 14 Japanese banks. If the infected user tries to access their account via these tainted pages, the malicious scripts perform a man-in-the-middle attack that can defeat two-factor authentication, and ultimately gain access to the victims' funds.

In some cases, the IBM researchers found the malware also asks its victims to download specific Android applications, which snaffle the two-factor authentication texts sent out to smartphones.

Rovnix isn't in wide circulation. According to IBM, this particular configuration of the malware was detected by only four out of 54 antivirus products tested, although signature files are now being added.

"It is clear that the Japanese financial sector is under attack. It is now recognized as a lucrative target to cybercriminals from Japan and Eastern Europe," Big Blue said.

"IBM X-Force researchers expect Rovnix to continue its attacks in Japan and intensify campaigns in the country. We also expect to see other privately held malware gangs from within the country and Eastern Europe target financial entities in Japan." ®

More about


Send us news

Other stories you might like