A complex malware dubbed as Rombertik has been designed to steal user data and comprises of several layers of anti-analysis functionality and obfuscation — Its last check is highly dangerous as it can trigger itself as destruct and destroys all the files stored on the user’s home folder.
Hackers are spreading the Rombertik malware through phishing and spam messages which has ability to read any plain-text data when entered in the browser. It captures the entered data before it gets encrypted.
Once up and running, Rombertik automatically scans Windows computer to check if it has been detected or not, said Cisco’s Talos Group blog on Monday.
A malware with such capability is not new, but according to Alex Chiu and Ben Baker of Cisco’s Talos group:
“Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis.”
This kind of “ destroyer” malware was previously used in attack on Sony Pictures Entertainment in 2014 and against South Korea.
Rombertik’s exclusive feature is that it involves numerous layers of anti-analysis functionality and obfuscation.
The malware’s last check is very dangerous for your computer because it computes a 32-bit hash of the PC memory’s resource.
If that resource of the compile time gets somehow altered, Rombertik automatically initiates self-destruct mode.
It initially aims at the MBR/Master Boot Record, which is a PC’s hard drive’s first sector that the computer looks to prior to loading the operating system.
In case Rombertik fails to access the MBR, it can potentially destroy all the files and data stored on the PC’s home folder by encrypting each file with a random RC4 key.
When the home folder or MBR gets encrypted the PC restarts and the MBR enters an infinite loop that prevents the computer from rebooting and screen shows this message: “Carbon crack attempt, failed.”
When Rombertik firstly gets installed on a PC it quickly unpacks itself since 97% of the unpacked file’s content is designed to make it appear legitimate. It comprises of 8,000 decoy functions and 75 images, which are literally never used.
Also, it tries to evade sandboxing, that is, the practice of isolating code for some time till it has checked out.
Rombertik stays awake always and writes one byte of data around 960million times in the memory. This further complicated the analysis for application tracking tools.
Cisco Talos Group
