Win32/Rombertik

Forum for analysis and discussion about malware.

Win32/Rombertik

Postby cuttingedge » Tue May 05, 2015 9:54 pm

Hello,

I read an article on Rombertik and would like to know if anyone has a sample of it?

Read about it here:

http://www.extremetech.com/computing/20 ... f-detected

I did a search for it and could not find anything posted about it.

Thank you.

Sample is here : (http://www.centozos.org.in/don1/gate.php) DO NOT GO TO THIS LINK IF YOU ARE INEXPERIENCED IN MALWARE
cuttingedge
 
Posts: 3
Joined: Mon Jul 02, 2012 5:17 am
Reputation point: 0

Re: Rombertik Sample

Postby forty-six » Wed May 06, 2015 3:26 am

You do not have the required permissions to view the files attached to this post.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Win32 Rombertik

Postby forty-six » Wed May 06, 2015 3:31 am

You do not have the required permissions to view the files attached to this post.
forty-six
 
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm
Reputation point: 30

Re: Win32 Rombertik

Postby EP_X0FF » Wed May 06, 2015 4:22 am

overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\)


Stop using Windows XP and ancient computers with BIOS.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32 Rombertik

Postby Intimacygel » Wed May 06, 2015 2:38 pm

This is blowing up in the media for like no reason. It's not even that scary or innovative.

Here is an unpacked sample
You do not have the required permissions to view the files attached to this post.
User avatar
Intimacygel
 
Posts: 24
Joined: Wed Jun 05, 2013 3:16 pm
Reputation point: 4

Re: Win32 Rombertik

Postby SomeUnusedName » Thu May 07, 2015 1:55 pm

Typical blogpost analyzing the packer nobody in their right mind cares about.
SomeUnusedName
 
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm
Reputation point: 8

Re: Win32 Rombertik

Postby r32 » Fri May 08, 2015 2:08 am

Hi all, this sample was extracted Cuckoo Sandbox, but not because they have been deleted.
In this url i found.

http://t.co/yjP9oqxsQv
http://cuckoo.killerinstinct.me/analysis/1587/

I uploaded the sample to download:

77bacb44132eba894ff4cb9c8aa50c3e9c6a26a08f93168f65c48571fdf48e2a.bin.gz


Regards ;)
You do not have the required permissions to view the files attached to this post.
r32
 
Posts: 3
Joined: Mon Oct 24, 2011 12:41 pm
Reputation point: 1

Re: Win32 Rombertik

Postby EP_X0FF » Fri May 08, 2015 8:24 am

Finally got some "willing" to look on this.

What can I say.

HOLY FUCK.

It is Delphi dropper with perun dll inside.

In this case, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. Over 97% of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used.


From where did you get out Ben Baker and Alex Chiu? Two idiots never saw Delphi apps? Or maybe two idiots never know how to join something with Delphi app? :) This work is definitely not for you.

Talos Group? How about re-branding to Phallus Group? :D Fully describes their level of the sophistication and professionalism.

Guess what this "super malware" level of hackforums does? It drops VBS script of the following ultimate code

Code: Select all
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "C:\Documents and Settings\User\Application Data\rsr\yfoye.bat" & Chr(34), 0
Set WshShell = Nothing


to "AUTORUN" folder, drops bat and copy of itself to AppData\rsr folder. Next it runs in background as PROCESS and waits in loop for browsers popup in process list. Next when browser "firefox/chrome" found it injects this super dll written in VS 2010 with CreateRemoteThread and performs ring3 HOOKING of several API's. Wow, never seen before.

Depending on browser it will hook:

chrome
Ws2_32!WSASend

firefox
kernel32!CreateFileW
Wininet!HttpSendRequestW

It implemented so buggy (madskillz hooks) so it never work for me resulting in browsers crash.

Next comedy part - so called "anti-analysis".

Under this comedy statement is hidden simple CRC32 check this malware does over it resource. This is made to prevent hex-editing. If something wrong it will do described mbr overwrite and files encryption. Will work on Windows XP. That's all anti-analysis. Yes, that's all.

It is common trend of last few years when team of unknown monkeys and script-kiddies are poping up from nowhere with "security researches" about "ultimate super-duper" malware. Sort of legalized fraud. So they just a kind of cybercriminals itself -> Ben Baker and Alex Chiu from Phallus Group, remember them, I think it's beginning of their professional career.


Image
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32 Rombertik

Postby robemtnez » Fri May 08, 2015 1:17 pm

So no anti-debuging or sandbox analysis detection at all with machine mass destruction? :roll:
robemtnez
 
Posts: 15
Joined: Tue Feb 03, 2015 4:11 pm
Reputation point: 9

Re: Win32 Rombertik

Postby EP_X0FF » Fri May 08, 2015 3:19 pm

robemtnez wrote:So no anti-debuging or sandbox analysis detection at all with machine mass destruction? :roll:


Does it looks like this? Malwr running on VirtualBox open for any detection.
https://malwr.com/analysis/ZDA0ZTkzNTI5NGVhNDZmZDhmMWU1MjNlMjNjYzZkMTg/

I can tell you why and where this scary machine "destruction" will only take place.

This so called anti-analysis is a protection from smart script-kiddies who know how to use in memory hex-editor and can change bot configuration (server name for example from hxxp://www.centozos.org.in to mysuperdomain.com). Configuration stored inside this small dll as resources in RCDATA (this dll is actually executable - you can run it just like you run any exe and it will work). Here also stored block of keys used to decrypt configuration. This malware check checksum of 1006 resource and if something bad happened -> CRC32 != 0x0E1A63B9 -> wow we are under hacking attempt - wipe MBR etc. Ultra super advanced technology.

People who did this "analysis" are script-kiddies with IDA Pro at hand which used only for screenshoting of Delphi VCL runtime call graph, facepalm.

So basically all these mass media monkeys are lying you. Well, just like they should by design and purpose.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests

cron