The malware, which attempts to steal information about Web sites and users, deletes the master boot record—or all user files—to avoid detection, according to a Cisco analysis.
Attackers are adopting increasingly malicious tactics to evade security researchers’ analysis efforts, with a recently-discovered data-stealing program erasing the master boot record of a system’s hard drive if it detects signs of an analysis environment, according to report published by Cisco on May 4.
When the malware installs itself, the software runs several anti-analysis checks, attempting to determine if the system on which it is running is an analysis environment. If the last check fails, the malware deletes the master boot record, or MBR, which is required to correctly start up the computer system.
“The interesting bit with Rombertik is that we are seeing malware authors attempting to be incredibility evasive,” Alexander Chiu, a threat researcher with Cisco, said in an e-mail. “If Rombertik detects it’s being analyzed running in memory, it actively tries to trash the MBR of the computer it’s running on. This is not common behavior.”
Attackers are increasingly attempting to prevent defenders from analyzing the tools and programs they use to conduct criminal and espionage operations. In a recent analysis, researchers with security firm Seculert found a variant of the Dyre banking trojan that used a simple check—counting the number of processing cores—to detect if it was in a virtual environment.
Rombertik has been identified to propagate via spam and phishing messages sent to would-be victims. Like previous spam and phishing campaigns Talos has discussed, attackers use social engineering tactics to entice users to download, unzip, and open the attachments that ultimately result in the user’s compromise.“At a high level, Rombertik is a complex piece of malware that is designed to hook into the user’s browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre,” Cisco’s researchers stated in the report. “However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner.”
Rombertik is distributed through various spam campaigns, often camouflaged as a PDF file. In reality, the attachment is a screensaver executable which, if the user opens the binary, attempts to run on the system. The prevalence of the malware is currently not known.
During an installation attempt, Rombertik attempts multiple times to determine if it might be in an analysis environment. The program has a lot of unused code, including uncalled functions and images which the malware authors included to try to camouflage the malware’s functionality, Cisco’s researchers stated.
The program also attempts to outlast automated analysis by writing a byte to memory nearly a billion times. Automated systems are often designed to run for a limited length of time, so as to efficiently process as many files as possible. The technique of writing data so many times could potentially crash some environments, Cisco stated.
“If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,” the researchers said. “Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis.”
When it reaches its final check, Rombertik deletes the MBR—or if it's unable to— it deletes all files in the user’s account, according to Cisco.