The Rovnix downloader malware is now capable of checking for sinkholing of its domains before connecting to them to evade detection by security tools. This is a new capability not previously observed in malware operations.

The activity we're seeing with this this latest functionality maps to evasion technology in other malware and exploit kits, that avoids detection by security tools and security professionals.

In the case of Rovnix, it will not communicate with its command and control servers if it perceives potential interdiction by security researchers, thus bypassing security measures that rely on behavior-based detection.

Information about the Rovnix malware and this new behavior was published recently by McAfee (Intel Security) - more information  can be found here.

ThreatSTOP customers are protected from Rovnix.