New infostealer tries to foil analysis attempts by wiping hard drive
“Cisco researchers have discovered a new information-stealing Trojan that reads and records any plain-text data the victim types into their browser. But this discovery would be nothing to write home about were it not for the malware’s extremely destructive behavior if it detects malware researchers’ attempts to analyze it.
“At a high level, Rombertik is a complex piece of malware that is designed to hook into the user’s browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre. However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner,” the researchers noted.
However, if in the last stages of installation it gets a hint that someone is trying to analyze it, this initial goal is dropped, and the malware immediately begins to destroy the computer’s hard disk by overwriting the Master Boot Record (click on the screenshot to enlarge it):
“From the beginning, Rombertik incorporates several layers of obfuscation along with anti-analysis functionality,” they explained.
Unpacked, the malware is only 28KB, but the packed version is 1264KB, and contains a ton of images and functions that are never used, but are there simply to make it time-consuming for researchers to analyze each of them.
In order to evade sandboxes and application tracing tools, the malware initially writes a byte of random data to memory 960 million times. The sandbox is not triggered as the malware is not sleeping or doing anything particularly malicious, and analysis tools get overwhelmed with logging these write instructions.
After additional checks for detecting the existence of analysis tools, the malware is ready to unpack itself. The final anti-analysis function that’s run once the unpacked version of Rombertik begins executing is where things gets nasty if the check fails.
“The function computes a 32-bit hash of a resource in memory, and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable,” the researchers explain.
“If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted.”
The computer is then caught in an infinite loop that prevents the system to boot, and the only thing left to do is to wipe the computer and reinstall the OS.
Rombertik might be out to destroy victims’ computer, but having an infostealer on it is definitely bad news.
The malware is currently delivered via spoofed emails impersonating the “Windows Corporation, which urge the recipient to open an attached ZIP file in order to check whether the two companies might work together. The targets are obviously businesses.
The ZIP file contains a SCR screensaver executable file that contains Rombertik, but icon leads victims to believe that the file is a PDF.
“Good security practices, such as making sure anti-virus software is installed and kept up-to-date, not clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users,” the researchers advised.”