While its chief goal is to watch your web traffic, it goes about that goal in remarkable fashion

By the time you reach the end of this piece you'll likely be wondering who wrote the malware program named Rombertik.  Was it the Russians?  North Korean or Chinese state hackers?  Or was it perhaps a lurking layer of America's own National Security Agency's (NSA) Orwellian domestic and international surveillance iniatives?  Or is the truth an even darker possibility?

I. Rombertik Will Destroy What it Cannot Covet

We may never know for sure, but thanks to a team of security researchers at Cisco Systems Inc. (CSCO) at least one layer of mystery has been peeled away.

Greek legends told of a brass giant named Talos who guarded the island nation of Crete from pirates and invaders.  In a nice nod to history and mythology Cisco named one of its top teams of crack security experts "Talos."  And it was Talos (@talossecurity) who made the unlikely discovery of Rombertik a piece of malware that goes to remarkable lengths to avoid analysis and throw hunters off the trail of deviously disguised plans.

Perhaps the most obvious sign of attack comes via the distribution method.  At present the malware is being distributed via unknown parties via email spam.  The sample Talos discovered had faked email header information from "" and purported to be from "Windows Corporation".  The email encourages the user to download, unzip, and click on an attached file, which it claims is a business offer.

Rombertik -- email

The attachment appears to be a PDF by the icon, but is really an *.scr file -- a Windows screensaver file.  Screensaver files are an increasingly popular exploit vector as in Windows they are allowed to execute shell script code.  The "WTF" malware that was spreading via Steam chat spam, for example, also leveraged the exploitability of this little-known file type.

When it comes to the screensaver guise and the spam message, polish is apparent.  But so far there's nothing to indicate this is a truly extraordinary program.  But that quickly changes when you click and enter Rombertik's Inception-eseque dark web.

Perhaps no malware sample chronicled to date goes to such great lengths to avoid detection.  Not even the legendary Flame and Stuxnet viruses that the U.S. government unofficially used to target Iranian nuclear and oil facilities featured such wild and crafty code to avoid detection.  The malware will literally destroy your system to try to escape analysis.

The highly destructive approach is admittedly a double edged sword as a false positive could destroy the unaware victim's computer, leading to detection.  But to its credit the malware does its homework.  It will do its darndest to make sure your machine never lives to tell its secrets.


As seen in the graphic above, the entire process goes something like this:
  1. Once clicked the *.scr shellcode performs checks to see whether this is a conducive environment to attack.
  2. If that passes, the shellcode decrypts an 18 KB unpacking shellcode disguised within the *.scr.
  3. If the unpacker is correctly installed to its target location (%AppData%\rsr\yfoye.exe) it proceeds.  Otherwise the shellcode creates a VBS script that is placed in the current user's startup directory and attempts to decrypt and install the unpacking program to the desired location after each login.
  4. To escape sandboxing the code stalls by performing a lengthy repetitive process of writing a byte of random data to memory 960 million times.
  5. After the stall is complete, the central shell code launches the executable to begin an unpacking process.
  6. The first unpacks a 28 KB true executable stored in hiding within the unpacking executable.
  7. It then starts a second process running its executable.
  8. It then injects that executable into the memory of the second process.
  9. The malicious thread begins its execution by performing checks to see if it's being analyzed.
    • If either check fails it "self-destructs" your computer by overwriting the master boot record (MBR) of your primary disk, sending your computer into endless reboots.
      • If it can't overwrite the MBR because of insufficient permissions it encrypts all files in your home folder (including itself) with random RC4 keys, effectively destroying all the user's files.
    • If no analysis efforts are detected it proceeds.
  10. Finally the script executes its true purpose.  It monitors for a browser (Chrome, Firefox, or Internet Explorer) to open and then injects code into that process an inserts API hooks that read plaintext data
  11. Thus at the end of the attack the malware sees everything you type in the subvert browser, including URLs and passwords.
  12. That data is sent to ""
Rombertik  attack API
Rombertik sends logs of what you type in the browser to a shadowy gate node. [Image Source: Talos]

Screenshots from the MBR self destruct route and the changes that enable it are seen below, courtesy of Talos:




Talos researchers say this is the first instance they've seen of a piece of malware attempting to destroy a machine if it detects potential analysis efforts.

II. Disturbing Sophistication, Convolution

Perhaps equally disturbing to the self-destruct capabilities is the sophistication of the code.  Talos details that the malware itself incredibly complex and convoluted.  In addition to the self-destruct codes and other checks which look to avoid launching the attack if analysis is detected, Talos also outlines several other sophisticated layers of defense.

The first layer of defense comes in the nuances of the anti-sandbox stalling technique. As Talos researchers point out the idea of escaping sandbox attention by doing random work is clever in the first place, as more sophisticated modern sandboxes like the memory protection systems in Microsoft Corp.'s (MSFT) Windows 7/8/10 operating systems are designed to watch for sleeping programs and avoid timing out the sandbox if a program is sleeping (a more obvious sign of a program that might be looking to wait out the sandbox).

But the choice of random work is even more clever.  By flooding its memory space with millions of random writes, the malware will wreak havoc on application analysis tools that might be trying to check up on its behavior.  The result would be a roughly 100 gigabyte log file, which according to Talos would take around 25 minutes to write to disk.

The second layer of disguise is designed to make the malware look like an innocent executable.  The author(s) packs 75 images and 8000 unused functions into the packaged executable in order to try to throw researchers off the trail of the actual usable code in the attack package.  

Rombertik padding

The third and final layer of disguise and defense agaisnt analysis is the unpacking code flow and it's a doozy.  According to the researchers, the unpacking code, hidden within that junk padding, is nothing short of bewildering:

The unpacking code is monstrous and has many times the complexity of the anti-analysis code.  The code contains dozens of functions overlapping with each other and unnecessary jumps added to increase complexity. The result is a nightmare of a control flow graph with hundreds of nodes.  Figures 3 and 4 help illustrate how complex the unpacking code in comparison to the all the code that performs anti-analysis checks.


The scariest part is that at the end of the day it remains unclear who the authors of this malware were, and what their objectives were.  Given the complexity one might assume that the code was written either by some sort of savant hacker or a group of government-funded hackers.

Also unclear is exactly how widespread Rombertik infections are.

The story of Rombertik is a crazy read.  And while Talos has peeled away some layers from this onion, it's clear there's still much that remains unknown. And given the complexity of the program, the programmers will likely change up their code, spam strategy, and exfiltration target server in upcoming versions/successors to Rombertik.  In other words, while the general attack profile -- including the self-destruct -- will likely remain in future versions, the details will likely change make it hard to identify and prevent.

Ultimately what little we do know is that old adage "don't open strange email attachments from unknown sources" applies.  You just might open perhaps the most devious malware ever concocted.

(All images courtesy of Cisco's Talos Group unless otherwise noted.)

Source: Talos [Cisco Blog]

"This week I got an iPhone. This weekend I got four chargers so I can keep it charged everywhere I go and a land line so I can actually make phone calls." -- Facebook CEO Mark Zuckerberg

Latest Headlines
Google Pixel 2XL will reportedly cost less.
September 20, 2017, 6:17 AM
IFA Berlin 2017 Tech Show
August 25, 2017, 6:13 AM
Two great updates from Google
August 20, 2017, 6:42 AM
Sony’s 4K OLED Smart TV
August 13, 2017, 6:20 AM

Latest Blog Posts

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki