Security experts are warning of newly discovered information-stealing malware designed to render the victim’s machine useless by destroying its master boot record if it believes it’s being analyzed by security tools.
Rombertik is a complex piece of malware designed to steal information from a user’s browser in a similar way to banking trojan Dyre, according to Cisco. It typically propagates via spam and phishing emails, using social engineering to trick the user into opening a malicious attachment.
However, it features “several layers of obfuscation along with anti-analysis functionality” designed to foil security researchers, the vendor said in a blog post.
The first is to include a large volume of “garbage code” – 97% in fact – designed to make the packed file appear legitimate and “overwhelm analysts by making it impossible to look at every function.”
It also tries to evade sandboxing – attempting to delay execution by writing a byte of random data to memory 960 million times.
This might force sandboxing tools to time out, and can flood app tracing tools, Cisco said.
If it is satisfied sandboxing has been evaded, Rombertik will then decrypt and install itself on a target machine to maintain persistence.
“After installation, it will then launch a second copy of itself and overwrite the second copy with the malware’s core functionality. Before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analyzed in memory. If this check fails, Rombertik will attempt to destroy the Master Boot Record and restart the computer to render it unusable.”
If the malware can’t overwrite the master boot record because it doesn’t have permissions, it will destroy all files in the victim’s C drive by encrypting each with a randomly generated RC4 key:
“Effectively, Rombertik begins to behave like a wiper malware sample, trashing the user’s computer if it detects it’s being analyzed. While Talos has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis.”
Guy Bunker, SVP of products at Clearswift, argued that the discovery was just another indication of the ever evolving arms race between anti-malware firms and hackers.
“As with ransomware, the critical component to keeping your information safe is to have a backup which is regularly maintained,” he said. “This is just as true at work as it is in the home. Without a backup you are at the mercy of the cyber-criminal – and they show no mercy.”
Bunker added that improving staff education and awareness would also help.
“If you can prevent the infection from occurring in the first place then this is much easier than trying to fix the problem after it has occurred. Constant reminders out to employees that clicking on links or downloading applications can put the organization at risk – or the personal critical information you have on your home computer,” he argued.
“There also needs to be awareness around what to do if you think you have been infected, who to call and what to do next, for example disconnecting from the network to prevent further information from leaking out.”
Webroot senior threat research analyst, Tyler Moffitt, added that there are “multiple layers of protection” that can stop Rombertik before it has a chance to destroy a victim’s files.
The first is by detecting the .zip file as soon as it tries to write to disk.
“If that doesn't trigger, then the next level of protection is once it has been extracted,” he explained.
“The malware should be blocked in real-time right as the .scr executable inside the zip file attempts to write to the disk. If that fails, then the next layer of protection is through heuristic security, attempting to pick up any malicious action by the file.”