There has been a recent game going on between the authors of malware and the white hat security that has officially went into the next level due to a new, and extremely aggressive malware system that does not try to obfuscate the operation of itself. It begins by aggressively scanning for clues that others may be monitoring for actions, if it happens to detect that it is operating within a Virtual Machine, the Rombertik malware will attempt to go off the grid and begin to overwrite the master boot record that is saved on the local hard drive.
Rombertik seems to be armed with an anti-bugging feature, as Cisco Systems has pointed out in their analysis of this new malware. It seems that it happens to be common for malware to contain an anti-bugging, anti-analysis, and anti-virtualization type features. The most sophisticated attacks do not go after their main target at first. The payload is delayed for a certain amount of time in order to determine if the system is in a real machine or in a sandbox.
The truth is that Rombertik actually has a lot of information that was created in order to make it look real. Cisco has estimated at least 97% of the whole packaged files are devoted just to functions and images that are never actually used by the malware itself.
Once it is fully up and running, then it will begin writing 960 million random bytes to the memory. This isn’t a useful function, but it helps to make sure that any type of application that may be attempting to trace the activity that is being done by the malware would be completely flooded by over 100 GB of log files.
If an analysis tool wanted to log all of that, it would take over 25 minutes just to write it to a hard drive, and this causes a big complication for any type of analysis. What makes Rombertik really stand out is the fact that it can overwrite MBR or even encrypt files if it has detected any type of tampering. There are other malware families that use a tampering detection, but it is just for execution of an exit.
Rombertik battles MBR
How does it actually complete this task? It makes a certain invalid function where it calls to look for certain errors. It is basically searching for an error that a VM would suppress. Once it has figured out that it isn’t in a sandbox, it will begin to unpack itself. The code is just unpacking various jumps, unneeded bloat, and functions.
At the end of this whole process, it begins to compute a 32-bit hash that compares it to an unpacked sample, and if it learns that it is in a VM, it will begin to declare war on your Master Boot Record or MBR. If it’s unable to overwrite your MBR, it will begin encrypting all of the files that are in the settings\administrator and C:\Documents folders using a RC4 key. If it is able to get to the MBR, it will overwrite the partition data with null bytes, which makes it hard to ever restore the drive.
Here’s the infographic showing the whole process:
Rombertik uses various layers of obfuscation, which uses a lot of garbage code. Cisco stated that the Rombertik sample is only 28 kb, but the packed version is 1264 kb. The file is made to look real by including 8,000 different functions and 75 images that are never used.
Normally malware would sleep which causes the sandbox to time out before the malware wakes up and begins doing its thing. This causes sandboxes to get better at detecting them and responding when any malware has been sleeping for long amounts of time.
Rombertik does the same thing, but it does it without ever sleeping.
Who is Rombertik’s father?
Rombertik is being spread through phishing and spam messages, which should make everyone a little more vigilant when it comes to opening unknown emails. So it is showing classic elements of a classic malware. The poorly written initial phishing attempt, and the bog standard data capture from your browsing session, as well as first class anti-detection methods that pack a heck of a punch if it is found out.
The creators of Rombertik have went through a lot of trouble to be sure that the virus will arrive to the right target and perform what it is meant to do. This is the type of stuff that you would expect to see from people in National Security, either our own or someone else’s.
Although, no one is really talking about government initiative for Rombertik. It is more worrying to know that a trojan this complex was created by state actors, but these type of techniques are becoming more common and it seems to be getting worse.