The virus infects computers while trying to avoid detection. If ‘Rombertik’s’ evasion techniques are triggered, it deletes key files on the computer making it consistently restart.
Rombertik is known to propagate via phishing messages and spam, using social engineering tactics in order to entice users to download the content. Examples include sending emails that include attachments designed to entice the user to open them.
These emails often come from seemingly reliable and popular sources such as Microsoft and Amazon. If the user does in fact unzip and download the file, they simply see a file that looks like a thumbnail. To the user it appears to be a PDF icon, but it is actually a .SCR file that contains the virus. Once the user opens the file, the malware begins to compromise the system.
Rombertik then collets information from all websites in an indiscriminate manner, where the malware steals login data and additional confidential information.
“Rombertik begins to behave like a wiper malware sample, trashing the user’s computer if it detects it’s being analyzed. While Talos has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis” stated the Cisco analysers.
If anyone runs an analytical check, that is noticed by the virus, it will attempt to delete an essential windows system file called the ‘Master Boot Record (MBR) and then restart the machine. As the MBR file is missing it will then go into an endless restart loop, displaying a message mocking the analyser.
The only way to get around this is by reinstalling windows and potentially losing important data.
Talos has put together a diagram detailing the malware process:
The report concluded that although the Rombertik malware has several layers of complex code and anti-analysis functions it is simply designed to steal data. Strong and simple security practices, such as avoiding opening attachments from someone you don’t know and keeping your anti-virus software up to date can prevent the malware from accessing your machine.