Rombertik is a new malware that is making data security headlines, as it collects everyday data you may enter into websites. It specifically targets collecting the data that users type in fields on websites, such as usernames, passwords, addresses, phone numbers, etc. It is spread through phishing emails. Below is the information to be aware of from Fossbytes.com:
This malware is identified by Cisco and they shared the information about this PC destroying malware on their Talos Group blog. Rombertik is made to intercept any text entered as an input in a browser window. According to Cisco, this is currently being spread through phishing and spam messages.
If the Rombertik malware is analyzed on a system, it destroys PC’s master boot record (MBR). It reads user’s credentials and other personal data and passes it to the attacker. This is similar to Dyre that was designed to collect the banking information. The scope of Rombertik is much wider and it collects data from all types of websites.
How Rombertik works?
As I mentioned above, Rombertik is spread via phishing and spam messages. The attacker could send the malware to its target using various social media tactics or email. If the target chooses to download the attached documents, on unzipping the target sees a file looking like a document thumbnail, but it’s a .SCR executable file containing the deadly Rombertik.
Once the file is clicked, Rombertik starts its execution. It does some checks to see if it’s running inside the sandbox. After this, it installs itself inside the target system and about 97% of the unpacked file looks legitimate. To dodge the applications trying to trace it, it starts writing 960 million random bytes to the memory. So, if any application tries to detect the malware, it would be swamped with more that 100GB log files.
After confirming that it isn’t running inside the sandbox, it computes a 32-bit hash. Then it launches the attack against the Master Boot Record of your system and makes it near about impossible to restore the drive.
If it is unable to play with the Master Boot Record, it destroys all files in user’s home folder i.e. C:\Documents and Settings\Administrator using an RC4key.
Conclusion and precautions:
Cisco says that Rombertik is a complex piece of multi-layered malware. Users must follow good security measures like keeping their anti-virus updated, avoiding clicks on attachments from unknown sources and taking more robust care while dealing with emails.