Complex Rombertik Malware Corrupts Drives to Prevent Code Analysis
The malware, which attempts to steal information about Websites and users, deletes the master boot record—or all user files—to avoid detection, according to a Cisco analysis.Attackers are adopting increasingly malicious tactics to evade security researchers' analysis efforts, with a recently discovered data-stealing program erasing the master boot record of a system's hard drive if it detects signs of an analysis environment, according to report published by Cisco on May 4. The malware, dubbed Rombertik, compromises systems and attempts to steal information, such as log-in credentials and personal information, from the victim's browser sessions, researchers with Cisco's Talos security intelligence group stated in the report. When the malware installs itself, the software runs several anti-analysis checks, attempting to determine if the system on which it is running is an analysis environment. If the last check fails, the malware deletes the master boot record, or MBR, which is required to correctly start up the computer system. "The interesting bit with Rombertik is that we are seeing malware authors attempting to be incredibility evasive," Alexander Chiu, a threat researcher with Cisco, said in an email interview with eWEEK. "If Rombertik detects it's being analyzed running in memory, it actively tries to trash the MBR of the computer it's running on. This is not common behavior."
Attackers are increasingly attempting to prevent defenders from analyzing the tools and programs they use to conduct criminal and espionage operations. In a recent analysis, researchers with security firm Seculert found a variant of the Dyre banking Trojan that used a simple check—counting the number of processing cores—to detect if it was in a virtual environment.