Rombertik, A New Info-Stealing Trojan Destroys the MBR Upon Analysis Attempts

Rombertik, A New Info-Stealing Trojan Destroys the MBR Upon Analysis Attempts


Important for victims, infected by Rombertik.

The Rombertik could come back on your PC or Mac several times if you do not manage to detect and remove its hidden files and main objects.We suggest that you download an advanced removal software for your computer as it will scan for all types of malicious objects, installed with it. Removal attempt with a professional cleaner for Mac or Windows can happen in about 15 minutes time and may save you hours in trying to uninstall Rombertik by yourself.

Download Removal Tool for Windows

Further information on SpyHunter
and uninstall guide. Before proceeding, please see SpyHunter’s EULA and Threat Assessment Criteria. The Privacy Policy of SpyHunter can be found on the following link. Bear in mind that SpyHunter scanner is completely free. If the software detects a virus, you can also remove it with a delayed removal or by purchasing SpyHunter’s full version.

Download Removal Tool for Mac

Further information on Combo Cleaner and uninstall guide. Before proceeding, please see Combo Cleaner Terms of Use and Privacy Policy. Bear in mind that Combo Cleaner scanner is completely free. If the software detects a virus, you can also remove threats by purchasing Combo Cleaner’s full version.

A new information-stealing Trojan dubbed Rombertik has been spotted by researchers at Cisco. The threat can read and record any data typed by the user in the web browser in plain text. What makes the Trojan worth writing about is its aggressive behavior if it detects that anyone is trying to examine it.


How Does Rombertik Operate?

The researchers describe Rombertik as a sophisticated malware similar to the Dyre Banking Trojan. Rombertik has the ability to collect sensitive information (for example login credentials) from the victim’s browser and send it to a remote server. The difference between the two threats is that Rombertik targets data from all web pages visited by the user.

In case throughout the last steps of the installation process, the Trojan detect any attempt to be analyzed, it drops its initial purpose and starts destroying the victim’s hard disk by overwriting the Master Boot Record.

Cisco experts explain that from the very beginning the Trojan “incorporates several layers of obfuscation along with anti-analysis functionality.”

Rombertik’s unpacked version is 28KB and the packed one – 1264KB. The latter contains numerous functions that remain unused. Analysts believe that their purpose is to waste the researcher’s time in order to analyze each of them separately.

At first, Rombertik writes one byte of random information to memory 960 million times in order to avoid tracing tools and sandboxes. As soon as the malware is not performing any malicious tasks, sandboxes are not triggered, and analysis tools are too busy with processing the write instructions.

Before the Trojan unpacks itself, it checks one last time for the presence of analysis tools. It’s the final part, just before the threat is launched, that is the real issue.

Rombertik’s Final Touch – The Anti-Analysis Feature

Here is how Cisco’s researchers explain the final function of the Trojan:

“The function computes a 32-bit hash of a resource in memory and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable.”

In case Rombertik is not allowed to overwrite the MBR, the threat starts destroying the files in the victim’s home folder. Rombertik encrypts each of the files with an RC4 key that is randomly generated.

As soon as all files are encrypted or the MBR is overwritten, the compromised machine is restarted.

Then the machine is caught in an endless loop that prevents any attempt to boot the system. The victim is left with no other choice but to reinstall the operating system.

At the moment of this writing, Rombertik is distributed to the targeted PC as a ZIP file attached to a spam email message claiming to have been sent by the “Windows Corporation”.

The ZIP file, disguised as a PDF file, contains an executable file where the Rombertik is hidden.

Users are advised to keep their security solution up-to-date and never open emails or download attachments to messages sent from unknown sources.

The free version of SpyHunter will only scan your computer to detect any possible threats. To remove them permanently from your computer, purchase its full version. Spy Hunter malware removal tool additional information.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.