malware-virus-rombertik

Cyber criminals and security researchers face each other each day in a never ending battle. Both are two sides of a single coin – one tries to create hazardous programs and malware, and the other one works to find better ways to secure the networks and systems. The threats faced by the security systems continues to evolve each day.

This malware is identified by Cisco and they shared the information about this PC destroying malware on their Talos Group blog. Rombertik is made to intercept any text entered as an input in a browser window. According to Cisco, this is currently being spread through phishing and spam messages.

If the Rombertik malware is analyzed on a system, it destroys PC’s master boot record (MBR). It reads user’s credentials and other personal data and passes it to the attacker. This is similar to Dyre that was designed to collect the banking information. The scope of Rombertik is much wider and it collects data from all types of websites.

How Rombertik works?

As I mentioned above, Rombertik is spread via phishing and spam messages. The attacker could send the malware to its target using various social media tactics or email. If the target chooses to download the attached documents, on unzipping the target sees a file looking like a document thumbnail, but it’s a .SCR executable file containing the deadly Rombertik.

Once the file is clicked, Rombertik starts its execution. It does some checks to see if it’s running inside the sandbox. After this, it installs itself inside the target system and about 97% of the unpacked file looks legitimate. To dodge the applications trying to trace it, it starts writing 960 million random bytes to the memory. So, if any application tries to detect the malware, it would be swamped with more that 100GB log files.

compromise-flow-wm
Image: Cisco

After confirming that it isn’t running inside the sandbox, it computes a 32-bit hash. Then it launches the attack against the Master Boot Record of your system and makes it near about impossible to restore the drive.

If it is unable to play with the Master Boot Record, it destroys all files in user’s home folder i.e. C:\Documents and Settings\Administrator using an RC4key.

Conclusion and precautions:

Cisco says that Rombertik is a complex piece of multi-layered malware. Users must follow good security measures like keeping their anti-virus updated, avoiding clicks on attachments from unknown sources and taking more robust care while dealing with emails. Cisco has also mentioned some security products to prevent the users from such threats.

Via: Cisco

Share this news with your friends and make them aware about this deadly suicide bombing virus Rombertik.

Recommended: USBkill – Code That Turns USB Drives Into PC Killing Weapon