A malware variant named “Rombertik” recently made headlines for its ability to wipe the Master Boot Record (MBR) of a machine if it detected the presence of analysis or debugging functions.
For example, Rombertik can detect system strings that contain “malwar,” “sampl,” “viru,” and “sandb,” – all commonly used strings by malware researchers and online sandboxes. Some external libraries are called in order to complete this task, and this is an example where the attackers are using publicly available tools that are made for research purposes in order to save time and effort.
Some open source projects such as ‘pafish’ use the following pattern in order to detect virtual machines/debuggers:
https://github.com/a0rtega/pafish/blob/master/pafish/gensandbox.c
Here is a code snippet of the procedure:
int gensandbox_path() {
char path[500];
size_t i;
DWORD pathsize = sizeof(path);
GetModuleFileName(NULL, path, pathsize);
for (i = 0; i < strlen(path); i++) { /* case-insensitive */
path[i] = toupper(path[i]);
}
if (strstr(path, “SAMPLE”) != NULL) {
return TRUE;
}
if (strstr(path, “VIRUS”) != NULL) {
return TRUE;
}
if (strstr(path, “SANDBOX”) != NULL) {
return TRUE;
}
return FALSE;
}
Origins
Based on cloud intelligence, we know that the first Rombertik file appeared in the wild around January 2015. At that time, only nine AV solutions detected the threat.
Rombertik is a heavily packed malware, which prevents products that base their detection solely on static detection methods to detect it.
Cisco’s Talos group, which discovered the latest variant noted that:
“Rombertik incorporates several layers of obfuscation along with anti-analysis functionality. Obfuscating the functionality of a malware sample can be accomplished in many different ways. A common method is to include garbage code to inflate the volume of code an analyst might have to review and analyze. In this case, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. Over 97% of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used. This packer attempts to overwhelm analysts by making it impossible to look at every function.” (http://blogs.cisco.com/security/talos/rombertik)
This also means that static analysis based detection engines that rely on mapping the binary code, images and functions to try and find similarities using mathematical statistics and models will fail to detect the heavily packed file.
We’ve also seen more advanced methods to evade statistic analysis based detection, such as advanced packers that open the binary in phases during run time. This means that the malware will not fully open on the infected machine hard drive. Instead, it opens small chunks of code over time. Any solution that tries to compare static characteristics will not be able to detect the malware.
Distribution Method
The attackers used Zip attachments that contained a malicious SCR file to distribute the malware – an increasingly common distribution method.
Since the majority of users are aware that .exe files are potentially malicious, attackers are renaming them using a .SCR extension in order to appear innocuous. Meanwhile, the Windows loader treats the file as a valid executable, and runs it.
When we ran Rombertik against an old version of the SentinelOne EDR agent (signed binary and definitions from 8 months ago), the agent managed to detect and block the threat before it could do any damage, by identifying the malicious behaviors tied to the execution of the sample and spawned processes.
Exfiltration and Communication
Numerous companies have already conducted a technical analysis of the threat, so we decided to investigate where the stolen data ended up.
First, we identified the domain Rombertik connected to, which in this sample was to a single domain that sent a POST request to www.centozos.org.in/don1/gate.php
.
We can see that the attackers used a free email service, meaning we can retrieve the password from the hosting control panel and extract some valuable intelligence. The current domain resolves to a bulletproof hosting panel in Poland.
Second, we gained access to the domain’s hosting panel.
Since the hosting panel (WHMCS) sends the first password in the welcome mail, we can learn the attackers’ preferred clear-text “master password.”
We can see from here that the attackers used “kasplit101” in every instance. We can also see that beginning in March 2015 this domain became inactive, and the attackers simply installed a blank copy of “PrestaShop” software on it.
The fact that the attackers installed a blank software service on the server in March indicates they have abandoned as soon as the first variant was detected.
Conclusion
This is another where commonly known malware techniques are packed with advanced evasion techniques. The latter allows common malware to conduct successful attacks for months without being detected, further emphasizing the need for behavior based detection rather than an increased focus on static indicators which are easily maneuverable.