I recently came across a classic malware which I thought was long gone and forgotten. However, in these times of sourced code leaks and reuse, attackers are recycling and updating old code into something new.
Rombertik is a self-destructing malware that has been making a lot of news. It is typically distributed via phishing and spam attack vectors. This malware leverages vulnerabilities through a Web browser’s operation of collecting user data from sites being visited by the victim. This collected information includes login credentials and other private tidbits for exfiltration to the attacker’s command and control server.
Rombertik attacks are based on social engineering, tricking users into downloading the executable program which is disguised as a PDF file. Java-based applets and applications running in the Web browser can also be used to hide, and ultimately launch, Rombertik.
Rombertik has a number of obfuscation and evasion technologies that make it difficult to debug. If the malware suspects it is being analyzed, it will attempt to write over the primary computer disk’s Master Boot Record (MBR) sector.
Details of the Breach
Rombertik is typically distributed in what appears to be a PDF file. The icon will be modified to look like a document for the user to preview. The malware file uses a typical extension-hiding technique to make it appear that it is a PDF document, but it is actually a file with a .scr extension.
The malware establishes an outbound connection for Command and Control (C&C) servers on TCP ports 80, 2000, 20005, and 20006.
What We Learned
Rombertik is not the first malware that uses analysis evasion techniques. Many different malware authors deploy these types of capabilities. Malware authors basically destroy MBR records and cause general havoc in a computer as an attempt to stop their malware from being analyzed or modified and repurposed by other attackers through the reuse of the code.
We have seen large numbers of malware being distributed as hidden .scr or .vbs files. Unless there is a specific need to allow them into the network, I highly suggest blocking these types of attachments from entering your infrastructure.
Is that an over-simplified solution? Possibly. Please understand that attackers will use a variety of techniques to hide malware extensions from users, and obfuscate file types to subvert network security technologies.