Cisco reported earlier this month that the Rombertik malware attempts to destroy the master boot record (MBR) of infected devices to prevent researchers from analyzing the threat. However, Symantec says the feature is actually designed to prevent unauthorized use of the Trojan.
According to Symantec, Rombertik is a new version of the Trojan known as Carbon Grabber (Infostealer.Retgate). The malware allows cybercriminals to steal information and gives them backdoor access to infected devices.
The malware has several anti-analysis mechanisms designed to prevent researchers from running it in a sandbox. If someone tries to tamper with it, the malware attempts to overwrite the device’s MBR and encrypt files. However, Symantec believes this destructive payload is not actually aimed at security researchers.
Researchers believe the feature is actually a trap for those who might try to use and modify the malware without authorization. When cybercriminals purchase Rombertik from its creator, they get a copy that communicates only with their command and control (C&C) server. The address of the C&C is embedded in the binary code.
Some cybercrooks might try to hack the binary and change the address of the C&C server so that they can use the malware without having to pay for it. To prevent unauthorized use, the developers ensured that the destructive protection mechanism is triggered when such attempts are discovered.
After the MBR is overwritten and the files on the infected device are encrypted, the following message is displayed: “Carbon crack attempt, failed.” This message makes sense if the destructive payload is intended as punishment for individuals trying to pirate the Trojan.
However, Symantec has noted that this protection mechanism can be bypassed. The resource containing the URL of the C&C server is encrypted using an RSA key. A hash of this RSA key is stored in the “compiled time” field of the PE header. This hash is compared to the hash of the key that is used, and the malware runs normally if the hashes match. If modifications are made to the malware and the RSA key is replaced, the hashes will not match and the malware triggers the destructive payload.
While this is a good way to test if the malware has been tampered with, the developers appear to have made a mistake. Symantec experts determined that the encryption keys are included in the malware binary.
“We were able to encrypt a different C&C URL using the public key and decrypt it using the included private key. This means that if somebody wanted to repurpose a copy of the Trojan without paying for a new one, they could do so using this method without triggering the destructive payload,” Symantec wrote in a blog post.
“Based on our analysis, we don’t believe that this functionality is designed as an anti-analysis feature to thwart the efforts of security researchers. Instead, this looks like it is the malware developer’s way of punishing the naive cheapskates who may be trying to use this software for free,” researchers noted. “There’s no denying the damage that this threat can cause, it really is very destructive, but this is no indiscriminate wiper Trojan.”
