Complex Rombertik Malware Corrupts Drives to Prevent Code Analysis

The malware, which attempts to steal information about Websites and users, deletes the master boot record—or all user files—to avoid detection, according to a Cisco analysis.

Malware Attack 2

Attackers are adopting increasingly malicious tactics to evade security researchers' analysis efforts, with a recently discovered data-stealing program erasing the master boot record of a system's hard drive if it detects signs of an analysis environment, according to report published by Cisco on May 4.

The malware, dubbed Rombertik, compromises systems and attempts to steal information, such as log-in credentials and personal information, from the victim's browser sessions, researchers with Cisco's Talos security intelligence group stated in the report.

When the malware installs itself, the software runs several anti-analysis checks, attempting to determine if the system on which it is running is an analysis environment. If the last check fails, the malware deletes the master boot record, or MBR, which is required to correctly start up the computer system.

"The interesting bit with Rombertik is that we are seeing malware authors attempting to be incredibility evasive," Alexander Chiu, a threat researcher with Cisco, said in an email interview with eWEEK. "If Rombertik detects it's being analyzed running in memory, it actively tries to trash the MBR of the computer it's running on. This is not common behavior."

Attackers are increasingly attempting to prevent defenders from analyzing the tools and programs they use to conduct criminal and espionage operations. In a recent analysis, researchers with security firm Seculert found a variant of the Dyre banking Trojan that used a simple check—counting the number of processing cores—to detect if it was in a virtual environment.

"At a high level, Rombertik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre," Cisco's researchers stated in the report. "However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner."

Rombertik is distributed through various spam campaigns, often camouflaged as a PDF file. In reality, the attachment is a screensaver executable that, if the user opens the binary, attempts to run on the system. The prevalence of the malware is currently not known.

During an installation attempt, Rombertik attempts multiple times to determine if it might be in an analysis environment. The program has a lot of unused code, including uncalled functions and images that the malware authors included to try to camouflage the malware's functionality, Cisco's researchers stated.

The program also attempts to outlast automated analysis by writing a byte to memory nearly a billion times. Automated systems are often designed to run for a limited length of time, so as to efficiently process as many files as possible. The technique of writing data so many times could potentially crash some environments, Cisco stated.

"If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes," the researchers said. "Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis."

When it reaches its final check, Rombertik deletes the MBR or—if it's unable to— it deletes all files in the user's account, according to Cisco.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...