A new strain of spyware that logs keystrokes and steals data has a destructive side to it, unleashing wiper capabilities if it detects it’s being analyzed and audited.
A limited number of samples of the malware, dubbed Rombertik by researchers at Cisco Talos, were spotted at the start of the year. That relatively small number indicates it could have been used in targeted attacks at the outset, but Craig Williams, security outreach manager at Cisco, said attacks are more widespread now, and are not focused on any particular vertical or geographic location.
“It sounds cliché, but this is really a digital arms race and we’re seeing the next evolution of it here,” Williams said. “They’re no longer content with detect-and-shut-down, now if malware realizes it’s being audited, the binary will destroy the system. It’s a simple case of attackers trying to dissuade researchers from going after a sample.”
Rombertik has a number of unusual and complex features, Williams said, most of which are designed to evade detection and analysis. For example, once the malicious executable is launched from a phishing or spam message, the malware contains volumes of garbage code that would have to be analyzed (1264Kb that includes 75 images and 8,000 functions that are never used).
Like many other pieces of malware, this one also contains capabilities to detect and evade sandboxes. Unlike others that sleep for a predetermined period of time before executing, Rombertik writes a byte of random data to memory 960 million times, Cisco said. Sandboxes cannot differentiate this stall tactic from normal behavior, and also, if all that data is logged, the size of the log would exceed 100Gb and would take a half-hour to write to the hard drive. This is just one of three anti-analysis checks, Cisco said.
If the malware passes those checks, it will install itself in the startup folder and into AppData to ensure persistence. It will eventually copy the executable a second time and overwrite memory of the new process with the unpacked executable, Cisco said.
“The unpacking code is monstrous and has many times the complexity of the anti-analysis code. The code contains dozens of functions overlapping with each other and unnecessary jumps added to increase complexity,” the Talos report said. “The result is a nightmare of a control flow graph with hundreds of nodes.”
The malware, however, is not done with its anti-analysis checks. The malware computes a hash of a resource in memory and compares it to the unpacked sample, and if there’s been an alteration, it will first attempt to overwrite the Master Boot Record of the physical disk. If that fails, it destroys all the files in the user’s home folder, encrypting each file with a randomly generated RC4 key.
“One of the things that’s interesting about this malware is that it doesn’t have one malicious feature, it’s got several,” Williams said. “At nearly every turn, it attempts to hang, destroy, or take up storage space of static or dynamic analysis tools. The more samples we see, the more problems companies are likely going to have. [Other attackers] are going to find this effective and copy it.”
Most of the phishing and spam emails pushing Rombertik carry a similar theme of an organization making a business pitch to work with an enterprise. One sample shared by Cisco shows the attackers impersonating “Windows Corp.” and pitching a business partnership with a semiconductor manufacturer.
The messages contain an infected attachment in a .zip file. If the user downloads and unzips the file, they will see a document thumbnail, such as a PDF icon, for example. The file is really a .scr file that contains Rombertik. If the malware passes all the checks and executes, it scans running processes looking for a instances of Chrome, Firefox or Internet Explorer running on the machine and injects itself into the process. The malware hooks API functions that handle plaintext data, Cisco said, and reads anything typed into the browser before it’s encrypted and sent over HTTPS. Data such as usernames, passwords, account numbers and more are at risk.
Rombertik indiscriminately targets data, just stealing as much data as it can from the victim, which is Base64 encoded and sent to the attacker’s command and control server. Cisco listed one domain in its report: www[.]centozos[.]org[.]in/don1/gate.php.
“When we first observed it at the beginning of the year, it was fairly unknown and had almost zero detection rates,” Williams said. “Today’s there’s a decent amount of detection for it, and at this point, it’s just being sent out shotgun style.”
