Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Rombertik Malware’s Destructive Payload Is an Anti-Piracy Feature: Symantec

Cisco reported earlier this month that the Rombertik malware attempts to destroy the master boot record (MBR) of infected devices to prevent researchers from analyzing the threat. However, Symantec says the feature is actually designed to prevent unauthorized use of the Trojan.

Cisco reported earlier this month that the Rombertik malware attempts to destroy the master boot record (MBR) of infected devices to prevent researchers from analyzing the threat. However, Symantec says the feature is actually designed to prevent unauthorized use of the Trojan.

According to Symantec, Rombertik is a new version of the Trojan known as Carbon Grabber (Infostealer.Retgate). The malware allows cybercriminals to steal information and gives them backdoor access to infected devices.

The malware has several anti-analysis mechanisms designed to prevent researchers from running it in a sandbox. If someone tries to tamper with it, the malware attempts to overwrite the device’s MBR and encrypt files. However, Symantec believes this destructive payload is not actually aimed at security researchers.

Researchers believe the feature is actually a trap for those who might try to use and modify the malware without authorization. When cybercriminals purchase Rombertik from its creator, they get a copy that communicates only with their command and control (C&C) server. The address of the C&C is embedded in the binary code.

Some cybercrooks might try to hack the binary and change the address of the C&C server so that they can use the malware without having to pay for it. To prevent unauthorized use, the developers ensured that the destructive protection mechanism is triggered when such attempts are discovered.

After the MBR is overwritten and the files on the infected device are encrypted, the following message is displayed: “Carbon crack attempt, failed.” This message makes sense if the destructive payload is intended as punishment for individuals trying to pirate the Trojan.

However, Symantec has noted that this protection mechanism can be bypassed. The resource containing the URL of the C&C server is encrypted using an RSA key. A hash of this RSA key is stored in the “compiled time” field of the PE header. This hash is compared to the hash of the key that is used, and the malware runs normally if the hashes match. If modifications are made to the malware and the RSA key is replaced, the hashes will not match and the malware triggers the destructive payload.

While this is a good way to test if the malware has been tampered with, the developers appear to have made a mistake. Symantec experts determined that the encryption keys are included in the malware binary.

“We were able to encrypt a different C&C URL using the public key and decrypt it using the included private key. This means that if somebody wanted to repurpose a copy of the Trojan without paying for a new one, they could do so using this method without triggering the destructive payload,” Symantec wrote in a blog post.

“Based on our analysis, we don’t believe that this functionality is designed as an anti-analysis feature to thwart the efforts of security researchers. Instead, this looks like it is the malware developer’s way of punishing the naive cheapskates who may be trying to use this software for free,” researchers noted. “There’s no denying the damage that this threat can cause, it really is very destructive, but this is no indiscriminate wiper Trojan.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.