Rombertik

Malware analysts have reported the appearance of an extremely harmful threat that uses various creative and extreme methods to avoid detection and removal. Rombertik may overwhelm sandbox environments (often used by security researchers to study threats in a controlled environment) and render a hard drive unusable when detected. While other infections may try to obfuscate their own workings, in order to make it difficult for computer security researchers to study them, Rombertik will aggressively search for any signs that Rombertik is being monitored or removed. If Rombertik detects that it is being monitored or inside a virtual machine, Rombertik will attempt to change the MBR (master boot record) content or the local hard drive, rendering it completely useless. Rombertik's methods for obfuscation and attack are unique, marking a new step in the fight between threat developers and security researchers.

Rombertik is a Data Collector

Once installed, Rombertik is a typical data collector, sniffing out sensitive data on an infected computer and sending it to a remote location. However, once Rombertik detects that it is being run in a virtual machine, Rombertik will take action to attack its environment deliberately in order to hinder the PC security researchers' work. 97% of Rombertik's code is simply there to obfuscate Rombertik's true functions. Rombertik will randomly write 960 million random bytes to memory as soon as Rombertik starts up. This does not do anything, but if there is a program that is trying to track everything Rombertik does (as would happen in a virtual machine), that application would suddenly have to deal with more than 100 GB in log files! After writing this random data, Rombertik will carry out invalid functions specifically in search for specific errors. These are errors may not appear in a virtual machine. Only after Rombertik has confirmed that it is not running on a virtual machine will this threat unpack itself. The Rombertik code is extremely obfuscated, containing dozens of unnecessary functions and jumps, as well as an impressive amount of bloat.

Although it sounds complex, the Rombertik process is fairly straightforward, despite the fact that the process to get there includes a complicated array of checks, function blocks and hundreds of different nodes. Rombertik is designed to function smoothly but be extremely difficult to analyze. At the end of its unpacking process, Rombertik will compute a 32-bit hash that is compared to an unpacked sample. If Rombertik detects it is in a virtual machine, Rombertik will attack the local hard drive. To do this, Rombertik will first try to access and overwrite the Master Boot Record. Rombertik will also use an RC4 encryption key to encrypt all files in the Administrator folder. Rombertik will specifically target the partition data on the Master Boot Record, overwriting it with null bytes in order to make it extremely difficult for the hard drive to be recovered.

Who Created Rombertik?

Rombertik spreads using phishing methods that are not very sophisticated. Rombertik also uses browser data capture methods that are not particularly complicated. This is what is particularly strange about Rombertik; it combines these simple, classic threat characteristics with extremely sophisticated anti-detection measures and an extremely aggressive strategy when Rombertik detects that it may be in a virtual machine. The types of obfuscation techniques involved in Rombertik are more typical of a well-financed threat attack, such as a state-backed threat. Although PC security researchers do not have likely suspects for the creators of Rombertik, it is extremely rare to see such a devastating anti-detection strategy in a mainstream threat infection. PC security analysts are particularly worried that Rombertik's obfuscation and anti-detection methods could become part of the mainstream and be integrated into other, more popular types of threats. All in all, Rombertik is quite an interesting development in the world of PC security and may have future repercussions.