Rombertik Info-Stealing Trojan Destroys Hard Drives If Detected - How to, Technology and PC Security Forum |

Rombertik Info-Stealing Trojan Destroys Hard Drives If Detected

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Rombertik, a new piece of malware has been detected in the wild recently. What makes the threat unique is its aggressive behavior towards any attempts to be monitored. If Rombertik recognizes that it is being analyzed, it tries to overwrite the MBR (master boot record) of the hard drive.

Download a System Scanner, to See If Your System Has Been Affected By Malware.

Rombertik’s Behavior

Once installed Rombertik acts as typical data-collecting malware. But the threat’s method to inspect if it’s operating in a VM-provided sandbox and its behavior in case it does, are unique.

Rombertik contains a large amount of information, which purpose is to make it look genuine. Researchers at Cisco report that about 97% of the packed files are in fact never used by the malware.

As soon as Rombertik starts operating, the executable writes around 960 million bytes of memory, which aim to flood any application that tries to trace the threat by 100GB log files.

As Rombertik completes its mission, it checks for certain errors that are typically suppressed by VM.
If Rombertik does not detect a Sandbox environment, the threat unpacks itself. The malware’s code is obfuscated with numerous jumps, functions and needles bloat on purpose.

Rombertik’s anti-analysis code is a relatively simple flowchart with a large number of iterations. The executable, on the other hand, is quite messy. Its primary goal is to stop researchers from discovering what is being written.

As this process is finished, the malware computes a 32-bit hash and compares it to an unpacked sample. In case, Rombertik detects that it runs in VM it tries to overwrite the MBR of the victim’s hard drive. If the threat can’t access the drive, it starts encrypting all the files in the Administrator directory. For this action, Rombertik uses an RC4 key. If Rombertik cannot damage the MBR, the partition data gets overwritten with null bytes, which makes restoring the drive almost impossible.

The Attackers

Rombertik apparently combines different malware elements, which make sure that the threat is delivered and activated. Experts express various opinions about the authors of this complex Trojan and compare its obfuscation technique as a feature that can only be designed by state actors.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Boyana Peeva

Boyana Peeva

Believes that the glass is rather half-full and that nothing is bigger than the little things. Enjoys writing, reading and sharing content – information is power.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share