Researchers at Cisco’s Talos Security Intelligence and Research Group have conducted an in-depth analysis of Rombertik, a sophisticated piece of malware designed to steal sensitive information from infected devices. In an effort to ensure that their creation cannot be analyzed, the malware authors have included some clever mechanisms.
Rombertik is distributed as a file attached to spam and phishing messages. Once it’s executed, the malware starts performing anti-analysis checks to make sure that it’s not running in a sandbox.
One of the evasion methods used by the info-stealer involves the use of garbage data. Experts have determined that 97 percent of the Rombertik executable consists of 75 images and more than 8,000 functions that are not utilized.
Many sandboxes are designed to monitor a file only for a certain period of time to determine if it’s malicious or not. That is why malware developers have started programing their creations to sleep before starting their malicious routines.
Rombertik doesn’t sleep. Instead, it evades sandboxes by writing one byte of random data to memory 960 million times. While this method is similar to sleeping, it can be much more effective against tracking tools and sandboxes.
“Sandboxes may not be able to immediately determine that the application is intentionally stalling since it’s not sleeping. The other disadvantage is that the repetitive writing would flood application tracing tools,” Cisco explained in a blog post. “If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes. Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive.”
The malware is designed to terminate if certain anti-analysis checks fail. If no analysis tools are detected, Rombertik starts decrypting and executing the unpacking code in memory. This code contains function overlaps and unnecessary jumps to increase complexity and prevent analysis.
According to Cisco, Rombertik is similar to the notorious Dyre Trojan. However, unlike Dyre, which is designed to steal information from online banking sites, Rombertik collects usernames and passwords from all the websites visited by the victim.
It does this by checking running processes for the presence of a web browser. If Chrome, Internet Explorer or Firefox are running, the malware injects itself into the process and hooks API functions that handle plaintext data. This allows the threat to capture any data entered by the user into a website before it gets encrypted.
But before starting its information theft routines, the malware does one last check to ensure that it’s not being analyzed. If this check fails, the threat starts exhibiting wiper behavior.
First, it attempts to overwrite the Master Boot Record (MBR), which makes the infected device inoperable. If it doesn’t have permission to overwrite the MBR, Rombertik will attempt to encrypt files stored in the home folder using a randomly generated RC4 key.
Once the MBR is overwritten, the computer is restarted and the victim is presented with a message that reads, “Carbon crack attempt, failed.” In addition to preventing the computer from booting, the malware also overwrites bytes for disk partitions, making it difficult to recover data. “While Talos has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” Cisco researchers noted.
Related: Dyre Banking Trojan Counts Processor Cores to Detect Sandboxes
