The Rombertik malware strain takes extraordinary measures to stop the analysis of its core functions and abilities, security researchers have discovered.
Security experts need to be able to detain and scrutinize samples of new malware entering the threat landscape in order to improve security products and antivirus software offered by cybersecurity companies. However, in reprisal, threat actors are making their lives more difficult through the use of anti-detection and analysis protocols -- such as wiping malware trails or systems altogether.
Ben Baker and Alex Chiu from Cisco Systems' Talos Group said in a blog post Monday that a new strain of spyware, dubbed Rombertik, is a complex system complete with "multiple layers of obfuscation and anti-analysis functionality" which highlights this growing trend.
Rombertik is spyware designed to collect data on everything a victim does online, doing so in an indiscriminate manner rather than focusing on areas such as Internet banking or social media accounts. After being loaded into a system via a phishing campaign and malicious email attachments, Rombertik runs a series of anti-analysis checks, such as checking to see if it is running within a sandbox.
Once complete, Rombertik will then decrypt and install itself on a victim's computer. Following installation, a second copy of itself is launched and overwritten with the malware's core spying functionality.
The spyware is unusual, however, in how far the malicious code will go to prevent detection, analysis and debugging. According to Cisco, before the malware begins spying on a victim Rombertik runs a final check to detect if it is being analyzed in memory. If this check fails, it will destroy the master boot record (MBR) of a compromised computer -- rendering the PC inoperable.
The researchers were able to reverse engineer the malware and discovered Rombertik uses "garbage code" to inflate the level of code to be analyzed. The team captured a small sample and found the unpacked Rombertik sample was 28KB, while the packed version is 1264KB -- including many images and functions which are never used. In addition, Rombertik stalls in sandboxes by writing a random byte of data to memory 960 million times.
"If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes," the researchers explain. "Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis."
Rombertik also checks to see if it is running from the yfoye.exe component. If it detects scrutiny, the malware will attempt to overwrite the MBR. Should this fail, Rombertik will go to plan B -- and destroy all files in a user's home folder by encrypting each file with random RC4 keys.
Effectively, if Rombertik's spying efforts are tampered with, the malware unleashes a nasty set of wiper protocols to turn your computer into a brick. However, infection rates remain rather low.
In conclusion, Cisco says:
"Good security practices, such as making sure anti-virus software is installed and kept up-to-date, not clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users.
However, a defense in depth approach that covers the entire attack continuum can help identify malware and assist in remediation in the event that an attacker finds a way to evade detection initially."