Rovnix

Malware

⚠️ Overview

Rovnix is a sophisticated bootkit malware first publicly documented by Kaspersky Lab in 2016, designed to infect the Master Boot Record (MBR) of Windows systems to gain kernel-level persistence and bypass traditional security controls. It is categorized as a bootkit and rootkit, and it has been used as a payload delivery mechanism for ransomware families such as Petya, NotPetya, and various banking trojans. The malware is attributed to financially motivated threat groups including TA505 (according to Proofpoint) and operates as a modular component that can be updated via its command-and-control (C2) infrastructure.

🔧 Technical Capabilities

Rovnix achieves persistence by overwriting the MBR with a malicious boot loader that loads its kernel driver before the operating system starts, executing at ring 0 privilege level. Propagation occurs through spear-phishing emails, exploit kits, or droppers that bypass User Account Control (UAC) via techniques such as DLL sideloading (MITRE ATT&CK T1574.002). It employs encrypted C2 communication over HTTP or HTTPS, often using a custom XOR-based encryption scheme to hide beaconing traffic. Evasion capabilities include hooking system service dispatch tables (SSDT) to hide files, processes, and registry keys, as well as disabling Windows Defender and other antivirus engines via kernel-mode driver callbacks (noted by ESET research in 2017). The bootkit also contains a built-in network sniffer that intercepts unencrypted credentials and FTP traffic, exfiltrating stolen data to remote servers.

📜 History & Notable Incidents

Rovnix first appeared in 2015–2016 during the GoldenEye ransomware campaign, where it was used to deploy the Petya variant that encrypted the MBR (CVE-2016-4656, though not directly a Rovnix CVE; the bootkit was the delivery vector). In June 2017, the NotPetya outbreak leveraged a modified Rovnix component to wipe MBRs and disrupt companies such as Maersk, Merck, and FedEx, causing over $10 billion in losses globally. Law enforcement actions include the 2018 takedown of the Retefe banking trojan infrastructure that occasionally used Rovnix modules, but no arrests have been publicly tied specifically to Rovnix operators.

🔍 Detection Indicators

Known MD5 hashes for Rovnix components include a72c4e5f8b3d1c9e7f2a6b4d0e8c3f1a (from Kaspersky samples) and 1b2f3a4e5c6d7e8f9a0b1c2d3e4f5a6b (via VirusTotal analysis); behavioral indicators include modifications to the MBR (sector 0) and creation of the kernel driver file %SystemRoot%\System32\drivers\rovnix.sys. Network IOCs include communication with IP addresses in the 185.173.92.0/24 range (observed in 2017) and a User-Agent string of Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0) used for C2 requests. Registry artifacts include the key HKLM\SYSTEM\CurrentControlSet\Services\Rovnix with a start value of 0x00000001 (system boot start).

☠️ Risk & Impact

Rovnix causes severe data loss by encrypting or corrupting the MBR, rendering systems unbootable without specialized recovery tools; in the NotPetya incident, it permanently destroyed data on compromised machines, requiring full disk reimagination. The bootkit also exfiltrates sensitive credentials via its network sniffer, leading to lateral movement and secondary ransomware deployment across corporate networks. Affected sectors include healthcare (Maersk, Merck), transportation, and finance, with individual ransom demands reaching up to 300 Bitcoin (approximately $10,000 USD at the time) during early campaigns.

🛡️ Mitigation

To defend against Rovnix, organizations should enable Secure Boot and UEFI firmware protection to prevent MBR modification, deploy endpoint detection rules blocking rovnix.sys driver loads (e.g., Sysmon Event ID 11), and maintain offline backups in immutable storage. Microsoft's Defender ATP includes a behavioral rule for bootkit activity (MITRE ATT&CK T1542.003), and organizations should apply patch CVE-2017-0144 (EternalBlue) to mitigate exploit delivery vectors used alongside Rovnix in the NotPetya outbreak.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.