The malware, named Rombertik by Cisco Systems' Talos Group, was found in a limited number of samples early in the year, but has started to proliferate. The malware, which has been designed to steal user data without discrimination, features multiple layers of obfuscation and complication in order to avoid detection and analysis. Cisco's Ben Baker and Alex Chiu explain, "If the sample detected it was being analysed or debugged it would ultimately destroy the master boot record (MBR)."
(Also see: Blackhat Convinced Me Hollywood Can Never Make a Good Hacker Movie)
Rombertik is software that comprehensively collects the login credentials and other important files after being installed on a target system. Researchers explain that it installs on the PC when a user click on the attachment that are accompanied in malicious emails. "Rombertik has been identified to propagate via spam and phishing messages sent to would-be victims... At a high level, Romberik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre. However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner."
As mentioned earlier, the malware features several methods to avoid detection and analysis. The malware executable itself contains thousands of lines of code that are never utilised by it, confusing detection processes. Another detection avoiding tactic is to write a byte of data to memory 960 million times, fooling sandboxes to think it is a normal program, and ends up generating data logs larger than 100Gb, which take time to write.
If the malware manages to avoid detection from the first few lines of defence, it then installs itself both in the startup folder and AppData folder, and then at some point later replace itself with a newly unpacked executable. Once deeply rooted in the system like this, Rombertik constantly checks its state against an unpacked sample, and if it detects any changes, such that, attempt to wipe it out of quarantine it, it will attack the MBR or Master Boot Record by putting it into an infinite loop preventing the system from continuing to boot. It will also encrypt all files in the user's home folder with a random key nearly impossible to break. Considering MBR includes information on disk partitions, Rombertik makes the altered MBR overwrite the partition data, wiping out the hard drive.
The blog further details the process, "Once the unpacked version of Rombertik within the second copy of yfoye.exe begins executing, one last anti-analysis function is run - which turns out to be particularly nasty if the check fails. The function computes a 32-bit hash of a resource in memory, and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable. If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user's home folder (e.g. C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted."
Cisco's Ben Baker and Alex Chiu have also listed few security practices to avoid downloading any such malwares such as installing anti-virus software and keeping it up-to-date; not clicking on attachments from unknown senders, and following security policies for email (such as blocking certain attachment types). With the spread of the malware, anti-virus and other security software have started doing a better job of detecting it, however, as mentioned, if the software is not up to date it may miss it. The malware is reportedly also being sent out at an alarming rate now.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.