Rombertik: A new malware built to intercept his victim's credentials develops a lot of catastrophic behaviors on the attacking computer to avoid analytics tools that usually include antivirus. 
If malware does not destroy your computer during installation, it places itself on almost all known browsers (Internet Explorer, Chrome, and Firefox), and records every victim's traffic from every visited website.
The data it collects before being encrypted by the web browser is delivered to the administration and control server (C&C) via HTTP.
Talos Group malware analysts from Cisco Systems, who isolated a sample of malware, called it Rombertik. They tried to reconstruct it to identify all the functions it contains in order to bypass any static but also dynamic analysis.
One of the final checks Rombertik performs to make sure it evades detection is to create a hash on μνήμη του συστήματος το οποίο συγκρίνει με την αποσυμπιεσμένη version of.
If it discovers any difference in compilation times it unleashes destructive behaviors, and as a first move destroys the main enrollment εκκίνησης (MBR) του υπολογιστή. Αμέσως μετά ξεκινά την encryption of files of the user.
MBR is a boot sector at the beginning of a hard disk, and it is responsible for keeping all the compartments on the computer and the data they have.
So, after Rombertik destroys the MBR, the computer starts continuous restarts and displays error messages.
Researchers report that bytes containing information on disk partitions are replaced with zero bytes, which makes data recovery a very difficult process.
The encryption process that follows the destruction of the MBR completes the destruction of the computer, since each file is locked separately with an RC4 key that is accidentally created.
Malware analysis revealed that its creators tried not to use old code that usually contains garbage. They also report that there are no malicious traces above 97% of the code.
Also interesting is the technique used by Rombertik before decompressing it to trick the sandbox tools that exist in antivirus products. Malware delayed its execution by writing a random byte in the 960 system memory a million times.
The consequence of this behavior is bypassing the waiting time of each sandbox. However, this action also makes flood antivirus detection tools since they need to create a 100GB log file to record the activity, and it will take more than 25 minutes to write to the disk.
