What is Rombertik? Latest Spyware Attacks Your Computer if Detected


What is Rombertik? Latest Malware Attack Triggers Destruction Tactics Upon Detection

Just yesterday, security experts discovered the latest strain of malware, nicknamed “Rombertik”, a specialized “wiper” malware smart enough to actively take precautions to help itself avoid detection. 

But most importantly: If Rombertik even suspects, let alone confirms malware analysis, it will activate a number of “self-destruct” type functions on the host computer it has infected to stop you in your tracks. Here’s hoping you have updated backup solutions in place…

Rombertik Self Destruct Danger IT

 Why self-destruct? Doesn’t that harm Rombertik’s goals too?

One of the greatest dangers of Rombertik is the malware’s obsessive secrecy, for its creators are determined not to allow malware analysis to be run on their latest masterpiece. Chris Stobing has gone as far as dubbing “Suicide Bomber” of malware attacks.

Why such an extreme title? As soon as it suspects detection, Rombertik overwrites all vital information on your computer, which in turn makes you lose all of your data and forces you to reinstall your operating system and restore your files from backups.


How does it know? What triggers Rombertik’s destroy function?

In the beginning of its attack, as soon as it is up and running, Rombertik completes multiple checks to ensure that it has not been detected.

According to the Talos team of cybersecurity experts responsible for its discovery, Rombertik, “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis.”

 How is this conducted? Don’t most malware attacks try to avoid detection?

While most malware attacks these days include instructions and commands to help them evade discovery, Rombertik will automatically compute a 32-bit hash and encrypt its victim’s hard drive if at any point the infection suspects a disturbance to its operations.

 Rombertik_Compromise-flow_Infographic

Furthermore, the Rombertik’s infection methodology, “incorporates several layers of obfuscation along with anti-analysis functionality,” (meaning that it has the capability of actively fighting off malware analysis in multiple different ways).

The attackers have also developed a way of evading sandboxes, which have traditionally been overcome by enforcing extended “sleep” periods before executing in order to get past sandbox timeouts.

As security specialists identified this method, sleeping lost effectiveness, which is why Rombertik instead chooses flood memory by the writing of a byte of random data to memory 960 million times.

By exploiting the scale of  this new strategy, Rombertik is able to consume time without being flagged as sleeping, and also manages to flood application tracing tools with over 100 gigabytes of logged data, which further complicates and derails any potential analysis.


 Rombertik Muhammad Ali Malware Knockout

The Final Punch/ Going in for the Kill

Remember that 32-bit hash we mentioned? As a final anti-analysis tactic, Rombertik will computer a 32-bit hash of a resource in its host machine’s memory, which it then compares to the timestamp of is original sample upon creation. If the malware discovers that the sample has been accessed or altered in any way, Rombertik goes into “Destroy” mode.

 This Includes:

1.)    Overwriting the Master Boot Record (MBR) of PhysicalDisk0, which will fry your machine and leave it inoperable

2.)    If it is unable to overwrite your MBR, Rombertik will destroy all files in the user’s Home folder and encrypt each one using a randomly generated RC4 key.

3.)    Following the completion of MBR overwrites and Home folder encryption, Rombertik restarts its victims’ computer, but not without implementing code which forces an infinite loop and stops the system from being able to continue onto fully rebooting.

 


So what is this malicious spyware attack after?

Its sophisticated software for attacking to avoid detection is what makes it unique, but in terms of data capture, Rombertik isn’t picky.

Once it has infected your computer, it gathers any and everything that you do through monitoring all of your behavior on the we and each and every keystroke that you make.

Why? By capturing all of your activity before transmission, secure methods such as HTTPS become irrelevant. This method of lying in wait methodology helps Rombertik evade detection while it discovers the details of your business and your users’ sensitive data.

Once Rombertik has succeeded in transmitting the the data it has gathered while spying on you, specialized scripts can be used to identify your login credentials, passwords and payment information from the logs ofyour behaviors on the web and each keystroke that you make.

 


 You_Can_Fight_Back_Yes_You_Can

How do I keep this from happening to my business?

Considering that Rombertik relies heavily on spam and phishing attacks, the best place to start is by implementing strong security practices. For more information on how you can avoid malware attacks, check out this blog from one of Bay Computing’s senior technicians, Matt Simpson.

 Need a quick overview? As an intro your organization should:

  1. Make sure anti-virus software is installed on all machines accross your organization
  2. Regularly update your anti-virus solution
    1. (The best option is working with your IT managed service provider to implement a centrally managed antivirus solution which automatically takes care of all updates for you)
  3. Teach users not to click on attachments from unknown senders or messages which seem out of place from known senders
    1. (Think safe, not sorry when it comes to malware)
  4. There is never a failproof solution, but implementing and following best security practices is one of the most effective methods out there
  5. Implement the right Spam filter to block suspicious emails and attachment types
  6. Utilize backup and data recovery solutions to ensure that your business continuity is protected, no matter what happens.
    1. Double-check (and then triple-check) that your backups are set to occur regularly and that they are completed successfully
  7. Work with your technology provider to ensure that your computer network services are implemented with a threat-centric approach which incorporates protections across your extended network and your full business IT environment.

 If you have any questions about implementing the right security solutions for your organization, need help fighting your way through a malware attack or are simply looking for the right IT service provider for your Bay Area business, contact us today!


 

Comments are closed.

BAY COMPUTING

San Francisco Office
315 Montgomery St., 9th Fl
San Francisco, CA 94104

P 415-759-8500

Concord Office
1800 Sutter St., Ste 680
Concord, CA 94520

P 925-459-8500

SEND US A MESSAGE