A new form of spyware is making headlines. Rombertik is designed to steal usernames and passwords, but if it finds that its actions are being monitored, it attacks the user’s hard drive.
Like other malware including Dyre and Cryptolocker, Rombertik is delivered through phishing campaigns. Cybercriminals use social engineering tactics to trick users into opening phishing emails, which “fish for” confidential information. Dyre is designed to steal information from online banking sites. Cryptolocker is designed to encrypt the user’s files (making the computer unusable), and demand a ransom for the decryption key to restore them. Rombertik has features of both. It collects information from all websites visited by the victim (not just banking sites), and (if it is detected) it makes the victim’s computer unusable.
How you get Rombertik:
- The victim downloads and unzips the attachment to specific spam and phishing messages, and then double clicks to open the file, installing the malware.
What it does:
- Rombertik is designed to intercept plain text entered into a browser window and collect usernames and passwords entered into websites visited by the victim.
- Once it is running on a Windows computer, it goes through checks to see if it is running within a sandbox (a virtual environment to identify potential threats).
- It tries to evade the sandbox. Unlike other malware which avoids detection by sleeping for an extended period of time, it consumes time by writing to memory repeatedly. The repetitive action floods application tracing tools.
- If it detects attributes associated with malware analysis, it overwrites the Master Boot Record which makes the infected computer inoperable. If it does not have access to the MBR, it encrypts the files in the user’s home folder.
- After overwrite of the MBR or encryption, the computer restarts, but with the MBR missing from the hard drive, it enters into an endless restart loop that stops the computer from rebooting. The screen reads “Carbon crack attempt, failed,” and the computer is stuck at this screen until the Operating System is reinstalled.
- If Rombertik is not detected, it launches a second copy of itself and overwrites the second copy with the malware’s function – to steal user data. It reads plain-data text that the users types into a browser, captures the input before it gets encrypted to be sent over https, and sends it to the hacker with no encryption.
What you can do to protect yourself:
- Make sure you have anti-virus software installed and that it is up-to-date.
- Use a spam filter that has security policies in place to block certain attachment types.
- Don’t click on attachments from unknown senders.
- Use a comprehensive backup solution that can restore your computer if you are a victim.
Cybercriminals are getting more and more sophisticated in their attacks. This newest malware demonstrates this with its focus not only to steal user data, but to destroy the computers of users who have programs to detect malware. Your company needs to take action to protect itself. Train your staff about cybersecurity and about how to recognize phishing emails. Protect your computers and network with appropriate technology to block malware. If you do fall victim to a virus like Rombertik, your savior will be a comprehensive backup solution that can restore your systems and data to their pre-incident status.
IT is fundamental to operating your business. The executive team at Big Idea Technology has over 40 years of combined experience implementing solutions to protect our clients’ data. Contact us to discuss how to implement protective technology at your company.