A few days ago the Talos Research Group, which supports Cisco by creating threat intelligence, released a blog about a piece of malware known as Rombertik, which has gained a lot of attention mainly because of its anti-analysis capabilities.
We’ve talked a bit about anti-analysis in our blog before, but Rombertik seems to be a little “overly-paranoid”.
What’s mostly uncommon about Rombertik is that, unlike much of the other malware in circulation today, Rombertik will trash the user’s hard drive if certain hash values don’t line up. This is an uncommon practice in malware, although it does happen on occasion.
An infected user’s screen after Rombertik trashes the hard drive.
Unlike those examples though, Rombertik doesn’t appear to be a state-sponsored malware. Instead, it mostly appears in phishing messages and other spam which will fall into the hands of everyday users.
Much like everyday malware, most of Rombertik’s actions aren’t too unique. When looking at the picture depicting Rombertik’s course of action, its noted the malware performs a lot of the same techniques seen in malware over the last several years; things like creating “excessive activity” to blow up procmon logs or having the binary overwrite itself in memory with unpacked code (Run PE) isn’t anything new in the world of malware.
What makes this malware atypical outside of the trashing a user’s hard drive are a few notable things.
First, it has a very, very, bloated size. According to Talos, the unpacked Rombertik sample is a mere 28KB while the packed version is over 1MB, meaning that “over 97 percent of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used”.
This isn’t commonly seen in malware, but it can be very effective at thwarting less-experienced analysts who commonly get caught up in analyzing unnecessary functions.
Secondly, it uses some unconventional methods to delay execution. Many sandboxes, like the well known Cuckoo sandbox, hook relevant APIs like kernel32!Sleep, which tells the program to sleep for a specified time. By hooking the API, Sandboxes can intercept the call and patch the code, bypassing the program’s instruction to Sleep.
In the case of Rombertik, the malware writes random bytes to memory many times before proceeding execution. This would be something that conventional malware sandboxes don’t account for, and therefore would be considered an anti-sandbox technique.
Malwarebytes Anti-Malware detects Rombertik as Trojan.Ransom.ED. For any additional questions or comments about the malware, be sure to post a comment below.
Thanks for reading, and stay tuned for more news about current malware threats.
For the full report on Rombertik by Talos, click here.