Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Rombertik Info-Stealing Trojan Destroys Hard Drives If Detected

Rombertik, a new piece of malware has been detected in the wild recently. What makes the threat unique is its aggressive behavior towards any attempts to be monitored. If Rombertik recognizes that it is being analyzed, it tries to overwrite the MBR (master boot record) of the hard drive.

Download a System Scanner, to See If Your System Has Been Affected By Malware.

Rombertik’s Behavior

Once installed Rombertik acts as typical data-collecting malware. But the threat’s method to inspect if it’s operating in a VM-provided sandbox and its behavior in case it does, are unique.

Rombertik contains a large amount of information, which purpose is to make it look genuine. Researchers at Cisco report that about 97% of the packed files are in fact never used by the malware.

As soon as Rombertik starts operating, the executable writes around 960 million bytes of memory, which aim to flood any application that tries to trace the threat by 100GB log files.

As Rombertik completes its mission, it checks for certain errors that are typically suppressed by VM.
Rombertik
If Rombertik does not detect a Sandbox environment, the threat unpacks itself. The malware’s code is obfuscated with numerous jumps, functions and needles bloat on purpose.

Rombertik’s anti-analysis code is a relatively simple flowchart with a large number of iterations. The executable, on the other hand, is quite messy. Its primary goal is to stop researchers from discovering what is being written.

As this process is finished, the malware computes a 32-bit hash and compares it to an unpacked sample. In case, Rombertik detects that it runs in VM it tries to overwrite the MBR of the victim’s hard drive. If the threat can’t access the drive, it starts encrypting all the files in the Administrator directory. For this action, Rombertik uses an RC4 key. If Rombertik cannot damage the MBR, the partition data gets overwritten with null bytes, which makes restoring the drive almost impossible.

The Attackers

Rombertik apparently combines different malware elements, which make sure that the threat is delivered and activated. Experts express various opinions about the authors of this complex Trojan and compare its obfuscation technique as a feature that can only be designed by state actors.

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Boyana Peeva

Boyana Peeva

Believes that the glass is rather half-full and that nothing is bigger than the little things. Enjoys writing, reading and sharing content – information is power.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.