Rombertik destroys the MBR to prevent unauthorized use of the malware

According to the experts at Symantec, the Rombertik malware attempts to destroy the MBR to prevent unauthorized use of the Trojan.

Early this month, the experts at Cisco have published a report on the Rombertik, a high sophisticated strain of malware that wipes hard drive to prevent analysis.

According to Symantec, Rombertik is a new version of the information stealer Trojan dubbed Carbon Grabber (Infostealer.Retgate backdoor). The experts noticed that the malware implements several mechanisms to prevent researchers from analyzing it, including sandboxing escape. If Rombertik detects someone tries to analyze it, it attempts to overwrite the device’s MBR making it difficult to a forensics expert to access data.

Symantec researchers have formulated an interesting hypothesis regarding this feature, they believe that it is a trap for those who might try to use and modify the malware. The experts explained that the authors of Rombertik sold the malware to other criminal gangs, the version distributed contains the address of the C&C embedded in the binary code and could not be changed by customers.

Some cybercriminals tried the reverse engineering of the malware in order to change the C&C address and use their control infrastructure avoiding to pay the authors of Rombertik.

In order to prevent criminal gangs to modify the Rombertik code the authors have added the feature to overwrite the MBR and encrypt the file present on the infected machine.

“Carbon crack attempt, failed.” a clear messages for hackers who tried to pirate the Rombertik Trojan.

Experts at Symantec have discovered much more of the anti-tampering method used by the Rombertik malware, they noticed that the URL of the C&C server is encrypted using an RSA key.

“The threat hides the hash of the RSA key in the compiled time field of the PE header. This hash value is compared with the hash of the key being used. If the hashes match, then everything continues as normal. However, if the script kiddie tries to replace the RSA key with a different one, the resulting hash will not match the hash stored in the compiled time field and this will then trigger the destructive payload.” states the blog post published by Symantec.

Experts at Symantec explained that the system is very effective by the malware authors made the serious error to hide the encryption keys in the malware binary.

“We were able to encrypt a different C&C URL using the public key and decrypt it using the included private key. This means that if somebody wanted to repurpose a copy of the Trojan without paying for a new one, they could do so using this method without triggering the destructive payload,” continues the post.

Resuming, the feature implemented by the authors of the Rombertik malware has the primary intent to prevent the circulation of pirated copy of the malicious code.

“Based on our analysis, we don’t believe that this functionality is designed as an anti-analysis feature to thwart the efforts of security researchers. Instead, this looks like it is the malware developer’s way of punishing the naive cheapskates who may be trying to use this software for free,” researchers noted. “There’s no denying the damage that this threat can cause, it really is very destructive, but this is no indiscriminate wiper Trojan.”

Pierluigi Paganini

(Security Affairs – Rombertik malware, cybercrime)