Rombertik: A new malware built to intercept his victim's credentials develops a lot of catastrophic behaviors on the attacking computer to avoid analytics tools that usually include antivirus.
Εάν και το malware δεν καταστρέφει τον υπολογιστή κατά τη διάρκεια της εγκατάστασης του, τοποθετεί τον εαυτό του σε όλους σχεδόν τους γνωστούς browsers, (Internet Explorer, Chrome και Firefox), και καταγράφει κάθε κίνηση του θύματος από κάθε ιστοσελίδα which he visits.
The data it collects before being encrypted by the web browser is delivered to the administration and control server (C&C) via HTTP.
Talos Group malware analysts from Cisco Systems, who isolated a sample of malware, called it Rombertik. They tried to reconstruct it to identify all the functions it contains in order to bypass any static but also dynamic analysis.
One of the final controls that Rombertik performs to make sure it escapes detection is to create a hash in the system memory that it compares with its decompressed version.
If it discovers any difference in the compilation times it unleashes destructive behaviors, and as a first move destroys the computer's master boot record (MBR). Immediately after that he starts the encryption of the user's files.
MBR is a boot sector at the beginning of a hard disk, and it is responsible for keeping all the compartments on the computer and the data they have.
So, after Rombertik destroys the MBR, the computer starts continuous restarts and displays error messages.
Researchers report that bytes containing information on disk partitions are replaced with zero bytes, which makes data recovery a very difficult process.
The encryption process that follows the destruction of the MBR completes the destruction of the computer, since each file is locked separately with an RC4 key that is accidentally created.
Malware analysis revealed that its creators tried not to use old code that usually contains garbage. They also report that there are no malicious traces above 97% of the code.
Also interesting is the technique used by Rombertik before decouplingpressure of to fool the sandbox tools present in products protectionfrom viruses. The malware delayed its execution by writing a random byte to system memory 960 million times.
The consequence of this behavior is bypassing the waiting time of each sandbox. However, this action also makes flood antivirus detection tools since they need to create a 100GB log file to record the activity, and it will take more than 25 minutes to write to the disk.