Rombertik, a new piece of malware has been detected in the wild recently. What makes the threat unique is its aggressive behavior towards any attempts to be monitored. If Rombertik recognizes that it is being analyzed, it tries to overwrite the MBR (master boot record) of the hard drive.
Once installed Rombertik acts as typical data-collecting malware. But the threat’s method to inspect if it’s operating in a VM-provided sandbox and its behavior in case it does, are unique.
Rombertik contains a large amount of information, which purpose is to make it look genuine. Researchers at Cisco report that about 97% of the packed files are in fact never used by the malware.
As soon as Rombertik starts operating, the executable writes around 960 million bytes of memory, which aim to flood any application that tries to trace the threat by 100GB log files.
As Rombertik completes its mission, it checks for certain errors that are typically suppressed by VM.
If Rombertik does not detect a Sandbox environment, the threat unpacks itself. The malware’s code is obfuscated with numerous jumps, functions and needles bloat on purpose.
Rombertik’s anti-analysis code is a relatively simple flowchart with a large number of iterations. The executable, on the other hand, is quite messy. Its primary goal is to stop researchers from discovering what is being written.
As this process is finished, the malware computes a 32-bit hash and compares it to an unpacked sample. In case, Rombertik detects that it runs in VM it tries to overwrite the MBR of the victim’s hard drive. If the threat can’t access the drive, it starts encrypting all the files in the Administrator directory. For this action, Rombertik uses an RC4 key. If Rombertik cannot damage the MBR, the partition data gets overwritten with null bytes, which makes restoring the drive almost impossible.
Rombertik apparently combines different malware elements, which make sure that the threat is delivered and activated. Experts express various opinions about the authors of this complex Trojan and compare its obfuscation technique as a feature that can only be designed by state actors.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter