Connect with us

Hi, what are you looking for?


Malware & Threats

Rombertik Strike at MBR Latest in Long Line of Malware Self-Defense Tactics

Recently, researchers at Cisco Systems identified a new piece of malware armed with sophisticated anti-bugging feature that attempts to overwrite the master boot record if the malware discovers it is being analyzed.

Recently, researchers at Cisco Systems identified a new piece of malware armed with sophisticated anti-bugging feature that attempts to overwrite the master boot record if the malware discovers it is being analyzed.

The malware, known as Rombertik, is the latest in a long line of examples of malware designed to make the lives of analysts and researchers harder. 

“It is very common for malware to contain anti-debug, anti-virtualization, and anti-analysis features,” said Christiaan Beek, director of threat intelligence for McAfee Labs, part of Intel Security. “Some of the more sophisticated attacks we’re seeing utilize payload delay timing whereas the real payload isn’t dropped until the malware figures out it’s a real target and not some sandbox. Execution of payload is delayed for a specified period of time to determine if the system its running on is a sandbox or a real machine.”

“An overall theme we’re seeing here is that most malware using such tactics are attempting to prevent getting blacklisted so they can infect and persist for a longer period of time,” he continued. “Threats like Rombertik, which perform obviously malicious behavior in the presence of a research environment are less common.”

Rombertik is being spread through spam and phishing messages. According to Cisco, if executed, Rombertik will first stall, then run through a series of anti-analysis checks to see if it is running in a sandbox. Once these checks are complete, the malware will decrypt and install itself on the victim’s computer to maintain persistence.

“After installation, it will then launch a second copy of itself and overwrite the second copy with the malware’s core functionality,” blogged Cisco researchers Ben Baker and Alex Chiu. “Before Rombertik begins the process of spying on users, Rombertik will perform once last check to ensure it is not being analyzed in memory. If this check fails, Rombertik will attempt to destroy the Master Boot Record (MBR) and restart the computer to render it unusable.”

This second anti-analysis function computes a 32-bit hash of a resource in memory and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been changed, the malware will try to overwrite the Master Boot Record of PhysicalDisk0, making the computer inoperable. If the malware lacks the permissions to overwrite MBR, it will instead destroy all files in the user’s home folder.

Advertisement. Scroll to continue reading.

Rombertik also employs several layers of obfuscation, including the use of garbage code. According to Cisco, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. More than 97 percent of the packed file is dedicated to making the file look legitimate by including 75 images and 8,000 functions that are never used, the researchers noted.

“A common technique to evade sandboxes is to sleep for extended lengths of time with the intention of forcing the sandbox to time out before the malware “wakes up” and begins executing,” the researchers explained. “In response, sandboxes got better at detecting and responding when malware slept for extended periods of time. Rombertik employs a similar approach to delay execution, but does so without sleeping.”

Instead, they blogged, it writes a byte of random data to memory 960 million times to consume time. Sandboxes may not be able to immediately determine that the application is intentionally stalling since it is not sleeping. In addition, the repetitive writing would flood application tracing tools.

“If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,” the Cisco researchers blogged. “Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis.”

According to Tom Kellermann, chief cybersecurity officer at Trend Micro, common sandbox evasion techniques include having the payload wait until mouse clicks are detected, virtual machine detection and port binding.

Misdirection and dead code is common in malware, but typically not as elaborate as Rombertik, said Tim Stiller, consultant with Rapid7’s analytic response team. 

“What makes Rombertik really stand out is its destructive capability to overwrite the MBR or encrypt files if it detects any tampering has occurred,” he said. “Other malware families that use tampering detection normally just exit execution.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...