[cuttingedge]

Hello,

I read an article on Rombertik and would like to know if anyone has a sample of it?

Read about it here:

http://www.extremetech.com/computing/20 ... f-detected

I did a search for it and could not find anything posted about it.

Thank you.

Sample is here : (http://www.centozos.org.in/don1/gate.php) DO NOT GO TO THIS LINK IF YOU ARE INEXPERIENCED IN MALWARE

[forty-six]

Attached is from :

http://blogs.cisco.com/security/talos/rombertik

[forty-six]

Attached sample from article :

http://blogs.cisco.com/security/talos/rombertik

[EP_X0FF]

overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\)

Stop using Windows XP and ancient computers with BIOS.

[Intimacygel]

This is blowing up in the media for like no reason. It's not even that scary or innovative.

Here is an unpacked sample

[SomeUnusedName]

Typical blogpost analyzing the packer nobody in their right mind cares about.

[r32]

Hi all, this sample was extracted Cuckoo Sandbox, but not because they have been deleted.
In this url i found.

http://t.co/yjP9oqxsQv
http://cuckoo.killerinstinct.me/analysis/1587/

I uploaded the sample to download:

77bacb44132eba894ff4cb9c8aa50c3e9c6a26a08f93168f65c48571fdf48e2a.bin.gz

(604.14 KiB) Downloaded 77 times

Regards ;)

[EP_X0FF]

Finally got some "willing" to look on this.

What can I say.

HOLY FUCK.

It is Delphi dropper with perun dll inside.

In this case, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. Over 97% of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used.

From where did you get out Ben Baker and Alex Chiu? Two idiots never saw Delphi apps? Or maybe two idiots never know how to join something with Delphi app? :) This work is definitely not for you.

Talos Group? How about re-branding to Phallus Group? :D Fully describes their level of the sophistication and professionalism.

Guess what this "super malware" level of hackforums does? It drops VBS script of the following ultimate code

Code: Select all

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "C:\Documents and Settings\User\Application Data\rsr\yfoye.bat" & Chr(34), 0
Set WshShell = Nothing

to "AUTORUN" folder, drops bat and copy of itself to AppData\rsr folder. Next it runs in background as PROCESS and waits in loop for browsers popup in process list. Next when browser "firefox/chrome" found it injects this super dll written in VS 2010 with CreateRemoteThread and performs ring3 HOOKING of several API's. Wow, never seen before.

Depending on browser it will hook:

chrome
Ws2_32!WSASend

firefox
kernel32!CreateFileW
Wininet!HttpSendRequestW

It implemented so buggy (madskillz hooks) so it never work for me resulting in browsers crash.

Next comedy part - so called "anti-analysis".

Under this comedy statement is hidden simple CRC32 check this malware does over it resource. This is made to prevent hex-editing. If something wrong it will do described mbr overwrite and files encryption. Will work on Windows XP. That's all anti-analysis. Yes, that's all.

It is common trend of last few years when team of unknown monkeys and script-kiddies are poping up from nowhere with "security researches" about "ultimate super-duper" malware. Sort of legalized fraud. So they just a kind of cybercriminals itself -> Ben Baker and Alex Chiu from Phallus Group, remember them, I think it's beginning of their professional career.

[robemtnez]

So no anti-debuging or sandbox analysis detection at all with machine mass destruction? :roll:

[EP_X0FF]

So no anti-debuging or sandbox analysis detection at all with machine mass destruction? :roll:

Does it looks like this? Malwr running on VirtualBox open for any detection.
https://malwr.com/analysis/ZDA0ZTkzNTI5NGVhNDZmZDhmMWU1MjNlMjNjYzZkMTg/

I can tell you why and where this scary machine "destruction" will only take place.

This so called anti-analysis is a protection from smart script-kiddies who know how to use in memory hex-editor and can change bot configuration (server name for example from hxxp://www.centozos.org.in to mysuperdomain.com). Configuration stored inside this small dll as resources in RCDATA (this dll is actually executable - you can run it just like you run any exe and it will work). Here also stored block of keys used to decrypt configuration. This malware check checksum of 1006 resource and if something bad happened -> CRC32 != 0x0E1A63B9 -> wow we are under hacking attempt - wipe MBR etc. Ultra super advanced technology.

People who did this "analysis" are script-kiddies with IDA Pro at hand which used only for screenshoting of Delphi VCL runtime call graph, facepalm.

So basically all these mass media monkeys are lying you. Well, just like they should by design and purpose.