Finally got some "willing" to look on this.
What can I say.
It is Delphi dropper with perun dll inside.
In this case, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. Over 97% of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used.
From where did you get out Ben Baker and Alex Chiu? Two idiots never saw Delphi apps? Or maybe two idiots never know how to join something with Delphi app? :) This work is definitely not for you.
Talos Group? How about re-branding to Phallus Group? :D Fully describes their level of the sophistication and professionalism.
Guess what this "super malware" level of hackforums does? It drops VBS script of the following ultimate code
Code: Select all
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "C:\Documents and Settings\User\Application Data\rsr\yfoye.bat" & Chr(34), 0
Set WshShell = Nothing
to "AUTORUN" folder, drops bat and copy of itself to AppData\rsr folder. Next it runs in background as PROCESS and waits in loop for browsers popup in process list. Next when browser "firefox/chrome" found it injects this super dll written in VS 2010 with CreateRemoteThread and performs ring3 HOOKING of several API's. Wow, never seen before.
Depending on browser it will hook:
It implemented so buggy (madskillz hooks) so it never work for me resulting in browsers crash.
Next comedy part - so called "anti-analysis".
Under this comedy statement is hidden simple CRC32 check this malware does over it resource. This is made to prevent hex-editing. If something wrong it will do described mbr overwrite and files encryption. Will work on Windows XP. That's all anti-analysis. Yes, that's all.
It is common trend of last few years when team of unknown monkeys and script-kiddies are poping up from nowhere with "security researches" about "ultimate super-duper" malware. Sort of legalized fraud. So they just a kind of cybercriminals itself -> Ben Baker and Alex Chiu from Phallus Group, remember them, I think it's beginning of their professional career.