Meet the Rombertik, the malware that self-destructs when discovered

Researchers at the Cisco-owned Talos Security Intelligence and Research Group have discovered a piece of malware, named Rombertik, that can best be described as exhibiting kleptomaniac and suicidal behaviours.

Ben Baker and Alex Chiu, who were part of the team that unearthed Rombertik, found out that this malware lives on the victim’s browser, in a way similar to a parasite, and exfiltrates login details and other sensitive piece of information to an external server.

The data capture occurs at the source itself, i.e. as the target enters it in the browser, before the information is encrypted and sent over HTTPS.

While its propagation methods remains remarkably simple, relying mostly on social engineering and the gullibility of the weakest link in the system (i.e. human beings), it is what follows afterwards that makes it interesting.

“If the sample detected that it was being analysed or debugged it would ultimately destroy the master boot record [MBR]” wrote the pair.

A nasty piece of bits

Doing so just makes your computer unusable forcing you to reinstall your operating system altogether. If the malware doesn’t have the permission do that, it will encrypt the home folder and restart your computer.

That is not a new behaviour remarked David Emm, Principal Security Researcher at Kaspersky Lab. “”Trashing sections of a hard disk, or corrupting data was quite common in the 1990s – that was a time when the threat landscape was dominated by cyber-vandalism e.g. Michelangelo, Dark Avenger, Maltese Amoeba, Chernobyl. Equally, it’s an approach that has been employed more recently by ‘wipers’ (e.g. Shamoon) to sabotage infected systems. Likewise, encrypting data, while used in ‘old school’ attacks for mischief (e.g. One-half) has become a key feature in today’s ransomware programs.”

Making sure that your antivirus software is installed and up to date, that you don’t click on suspicious attachments and block certain types will go a long way to protect yourself.

Source: Cisco’s Talos