Analysts label this campaign as one of the most successful ones in the past few months. The crooks have been also quite precise as about 87% of the targeted machines are located in the UK. Between 0.05% and 4% of the attacks have hit countries like Germany, the US, Italy and Iran.
According to Bitdefender experts, the ongoing campaign is a proof that the Rovnix botnet is still growing bigger and stronger. The fact that the cyber criminals have chosen encrypted communications in this campaign is considered a sign that this particular threat is still being developed. More attacks are expected in the coming months.
By analyzing the DGA of the botnet, the experts found out that five to ten domains are generated per quarter or twenty to forty per year. In the process are used word lists that were extracted from publicly available text files like RFC (Request for Comments) pages and GNU Lesser General Public License. Although the campaign is targeting computers mainly in the UK, the US Declaration of Independence is used as a reference when C&C domain names are being generated.
The researchers discovered that unlike in the first attacks, where the data exfiltration from the compromised machine to the C&C server was carried in an unencrypted format, the new campaign is using encryption in order to avoid detection by security products.
Bitdefender specialist’s recommendations:
- Keep your operating system updated.
- Make sure that your antivirus program is up-to-date too.
- Beware of scams that require the execution of unknown code or applications.