Cybersecurity researchers announced in early May that they had discovered a new strain of malware, known as Rombertik, that is exceptionally good at remaining undetected and resisting attempts at debugging.
The new malware was identified by analysts with Cisco’s Talos Group and employs anti-analysis functionality and numerous forms of obfuscation. Rombertik appears to have been designed specifically to avoid being detected by both static and dynamic analysis tools. In a blog post about the malware, Cisco researchers Ben Baker and Alex Chiu noted that security analysts are always looking for better ways to detect and evade other forms of malware, leading malware creators to become more evasive.
“As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples,” wrote Baker and Chiu. “Better static, dynamic and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis.”
According to Baker and Chiu, Rombertik is highly complex, designed to connect to a victim’s browser and read credentials to exfiltrate to a remotely controlled server. The malware does not discriminate when it comes to the types of websites it steals from, either, making it especially dangerous. Researchers have been able to trace Rombertik back to spam and phishing schemes, suggesting the malware propagates via malicious emails opened by unsuspecting targets.
Using analysis to remain undetected
Rombertik is introduced to a victim’s device in the same way most malware is – installed secretly when a user opens a malicious file. However, the way in which Rombertik compromises systems is more complex than the average strain of malware. The program has anti-analysis checks in place to prevent both static and dynamic analysis. On top of those precautions, the malware will stall upon execution and then proceed to run through another set of anti-analysis check to discern if it is running inside a sandbox. To fully assert itself on a victim’s device, Rombertik will decrypt and install itself on the computer. After it is installed, the malware launched a second copy and overwrites the duplicate with the program’s core functionality.
To make review and analysis attempts even more difficult, Rombertik employs garbage code to increase the amount of information that has to be looked through. The malware also stalls sandboxes by copying a single piece of data to memory as many as 960 million times.
“If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes,” Baker and Chiu wrote. “Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis.”
Enhancing enterprise defense for modern threats
Cyber criminals are starting to employ increasingly sophisticated malware capable of getting past most traditional defense strategies. With the threat landscape changing, enterprise IT decision-makers need to look into a modern cybersecurity solution that can tackle new forms of malware. One of the most reliable ways for businesses to defend against sophisticated cyber threats is to implement Deep Freeze from Faronics. This program works to reboot systems and return operations to the pristine condition before a security intrusion took place or malware found its way onto a network.
The Deep Freeze solution takes a snapshot of the enterprise system, allowing IT administrators to reboot systems to the predetermined setting and preserving the integrity of workstations while getting rid of harmful programs. Deep Freeze enables companies to greatly decrease the amount of information that can be lost due to a security breach and money spent mitigating the effects of such an event.