A new information-stealing Trojan dubbed Rombertik has been spotted by researchers at Cisco. The threat can read and record any data typed by the user in the web browser in plain text. What makes the Trojan worth writing about is its aggressive behavior if it detects that anyone is trying to examine it.
How Does Rombertik Operate?
The researchers describe Rombertik as a sophisticated malware similar to the Dyre Banking Trojan. Rombertik has the ability to collect sensitive information (for example login credentials) from the victim’s browser and send it to a remote server. The difference between the two threats is that Rombertik targets data from all web pages visited by the user.
In case throughout the last steps of the installation process, the Trojan detect any attempt to be analyzed, it drops its initial purpose and starts destroying the victim’s hard disk by overwriting the Master Boot Record.
Cisco experts explain that from the very beginning the Trojan “incorporates several layers of obfuscation along with anti-analysis functionality.”
Rombertik’s unpacked version is 28KB and the packed one – 1264KB. The latter contains numerous functions that remain unused. Analysts believe that their purpose is to waste the researcher’s time in order to analyze each of them separately.
At first, Rombertik writes one byte of random information to memory 960 million times in order to avoid tracing tools and sandboxes. As soon as the malware is not performing any malicious tasks, sandboxes are not triggered, and analysis tools are too busy with processing the write instructions.
Before the Trojan unpacks itself, it checks one last time for the presence of analysis tools. It’s the final part, just before the threat is launched, that is the real issue.
Rombertik’s Final Touch – The Anti-Analysis Feature
Here is how Cisco’s researchers explain the final function of the Trojan:
“The function computes a 32-bit hash of a resource in memory and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable.”
In case Rombertik is not allowed to overwrite the MBR, the threat starts destroying the files in the victim’s home folder. Rombertik encrypts each of the files with an RC4 key that is randomly generated.
As soon as all files are encrypted or the MBR is overwritten, the compromised machine is restarted.
Then the machine is caught in an endless loop that prevents any attempt to boot the system. The victim is left with no other choice but to reinstall the operating system.
At the moment of this writing, Rombertik is distributed to the targeted PC as a ZIP file attached to a spam email message claiming to have been sent by the “Windows Corporation”.
The ZIP file, disguised as a PDF file, contains an executable file where the Rombertik is hidden.
Users are advised to keep their security solution up-to-date and never open emails or download attachments to messages sent from unknown sources.