Cisco Unearths ‘Rombertik’ Virus That Self-Destructs When Poked By Security Researchers

Security firms and anti-malware providers sure do have their work cut out for them, a fact that seems to get emphasized every day. As attackers become more creative, researchers have to dig deep in order to understand how malware manages to hide itself so well. It used to be that static scanners would be suitable enough, but that's hardly the case nowadays. Attackers are becoming even more creative, creating almost ninja-like malware.

Take Rombertik, for example. This is a piece of malware that was deeply analyzed by Cisco's Talos Security Intelligence and Research Group that at the high level hooks into a user's Web browser to read sensitive information that is then passed along to a remote attack server. Cisco notes that this is not too dissimilar from the Dyre malware we talked about last month. Unlike Dyre, Rombertik doesn't target banking information specifically, but instead fetches whatever it deems useful.

Rombertik Spam

Rombertik is spread through spam and phishing campaigns, and ultimately persuades its receivers to download, extract, and then open the attachments. It might be hard to believe, and not to mention unfortunate, but yes, people still fall for this.

In Rombertik's case, it seems most attachments were PDFs, or at least looked like PDFs. In reality, they were renamed .SCR screensaver files -- an attack point that has been present for ages. With simple detection mechanisms, Rombertik can go unnoticed as it manages to avoid both static and dynamic analysis.

Once executed, Rombertik will run through a couple of checks to make sure it's not running in a sandbox, and if not, it will fully install itself on the victim's PC. It then copies itself and overwrites the copy with a copy that bundles the malware's core functionality.

Rombertik Design

Here's where things get interesting: if the final check fails, which is to see if it's being analyzed in memory, Rombertik will purge the hard disk's MBR and reboot, so that the PC becomes unbootable. If the MBR is somehow unaffected by its attempts, Rombertik will instead render the user's home folder useless by encrypting each file with a random key, and then reboot. Neither of these routes are ideal, but the former could be fixed - the latter cannot.

If you want to dig deep into how Rombertik works, you'll want to check out the article below, as it's very in-depth, and even a bit enlightening. For the enterprise and home alike, this is yet another example of why staff need to be well-aware of the dangers of opening unsolicited attachments.