Rovnix

Category: bootkit · Aliases: None known · Sample count (EMBER 2018): 5 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Rovnix is a highly sophisticated bootkit and trojan downloader designed to infect the Master Boot Record (MBR) or Volume Boot Record (VBR) to achieve deep, undetectable persistence.

What is Rovnix?
For general users, Rovnix is invisible. For incident responders and forensic analysts, Rovnix represents one of the most difficult classes of malware to eradicate. By infecting the boot sector, Rovnix executes before the Windows operating system even loads. This allows it to patch the Windows kernel in memory, subvert all local security software, and load its malicious drivers completely undetected by standard anti-virus scanners.

Infection Vectors & Threat Hunting
Rovnix is typically distributed by other malware downloaders, exploit kits, or spearphishing campaigns. Upon execution, the installer drops a malicious driver (often highly obfuscated) that overwrites the VBR. Upon the next reboot, the bootkit loads into memory, hooks the INT 13h disk interrupt, and intercepts the OS loading process. Threat hunters cannot rely on file-level scanning to find Rovnix. Instead, they must hunt for anomalous outbound network connections to DGA domains (used to download secondary payloads like Carberp) or use specialized forensic tools to analyze the raw disk sectors.

Forensic Analysis & Impact
The primary impact of Rovnix is its ability to securely download and execute arbitrary secondary payloads while remaining completely hidden. Because it operates at Ring 0 (kernel level), it can intercept file system requests to hide its own components. Incident responders must perform offline forensic imaging (booting from a clean USB) to safely analyze the compromised MBR/VBR and extract the malicious driver payload for reverse engineering.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1542.003Pre-OS Boot: BootkitPersistence
T1014RootkitDefense Evasion
T1105Ingress Tool TransferCommand and Control
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1568.002Dynamic Resolution: Domain Generation AlgorithmsCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_ROVNIX {
    meta:
        description = "Detects Rovnix (bootkit)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "rovnix" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Rovnix Activity
id: 07fb94dc4ebedca867aec3d4cc94be22
status: experimental
description: Detects generic indicators of the rovnix malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*rovnix*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint from the network to prevent the bootkit from downloading its secondary payloads.
  2. Do not trust any telemetry, task manager, or local AV logs from the live system, as the kernel-level rootkit will spoof these results.
  3. Perform a forensic triage by booting the machine from a known-clean Live CD or USB to image the raw disk and analyze the boot sectors.
  4. To remediate, the OS must be entirely rebuilt, and the Master Boot Record (MBR) or EFI partition must be completely wiped and rewritten.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not attempt a standard 'System Restore' or 'Reset this PC', as these mechanisms do not overwrite the infected boot sectors.
  2. Avoid ignoring a Rovnix infection just because the system 'seems fine'; it is actively preparing the environment for a massive ransomware or banking trojan drop.

References & External Analysis

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/rovnix.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.