BlueCoat "kind of" called them out https://www.bluecoat.com/security-blog/ ... -rombertik
A forum for reverse engineering, OS internals and malware analysis
The call of payload decryption routine is in Form1.FormCreate method. Here also you can find this "antisandbox" feature representing a call to GetUsername, rofl. The huge size of dropper application is because they put on Form chaotic mosaic of heavy-weight components such as QuickReport. There is no obfuscation in dropper. It is just a Delphi VCL, 2015 people don't know how files produced by popular compiler looks like.
Ring0 - the source of inspiration
So, it seems that the Rombertik malware is not an actual standalone malware at all, but an obfuscating wrapper applied to various crimeware.I'm not sure they understood it either?
Reports of Rombertik have been (greatly) exaggeratedhttp://blogs.bromium.com/2015/05/13/rep ... aggerated/ :shock:
Another one report from security imbecile.
http://labs.lastline.com/exposing-rombe ... ve-malware
YEAR
"Security Expert"
DOESN'T KNOW
HOW FUCK
DELPHI LOOKS LIKE
http://labs.lastline.com/exposing-rombe ... ve-malware
nformation Overload2015
Another significant obstacle that Rombertik throws at human reverse engineers is that it complicates static analysis by adding many (many!) different functions to its executable. These functions do not add meaningful logic to the program, but merely make finding relevant code-regions (that contain the actual, malicious payload) very tedious.
YEAR
"Security Expert"
DOESN'T KNOW
HOW FUCK
DELPHI LOOKS LIKE
Ring0 - the source of inspiration
These guys are spending its time to analyze packer(or Cryptor) written in Delphi. Unpacked EXE (which only is 25600 Bytes) is wrapped with this delphi packer.
The malware is old, I don't know why it is popped out now.
And actually there are different versions of packers they used in the past.
Here is the same malware packed with different packers/cryptors:
AutoIt: https://www.virustotal.com/en/file/cabf ... /analysis/
.Net: https://www.virustotal.com/en/file/6c18 ... /analysis/
VB: https://www.virustotal.com/en/file/72b5 ... /analysis/
The malware is old, I don't know why it is popped out now.
And actually there are different versions of packers they used in the past.
Here is the same malware packed with different packers/cryptors:
AutoIt: https://www.virustotal.com/en/file/cabf ... /analysis/
.Net: https://www.virustotal.com/en/file/6c18 ... /analysis/
VB: https://www.virustotal.com/en/file/72b5 ... /analysis/
But as you can see, it works. Reading the comments on Cisco analysis made my day. :D
Great article. I'm interested in reverse engineering as well, so I'd like to know how the team mastered all the anti-analysis and anti-debugging techniques... It must have taken alot of time to perform analysis on this particular malware...
Excellent research and a well written article...My favorite:
Brilliant article, showing clearly how on top of its game Talos is. The work that must have gone into unravelling that malware sounds enormous...Also, SentinelOne did a brilliant analysis on this: http://www.sentinelone.com/rombertik-ma ... -record-2/
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com
ebfe wrote:These guys are spending its time to analyze packer(or Cryptor) written in Delphi. Unpacked EXE (which only is 25600 Bytes) is wrapped with this delphi packer.The problem is that there is no cryptor here. They simple joined payload code (very small code block called in Form1.FormCreate method, including encrypted payload exe) with Delphi application. To make it friendly for static AV scans they put on Delphi form as much of heavy weight components as they can. This results in megabyte of dead runtime code which turns this code looks legitimate and harmless. This mimicry is not a something new and previously was in multiple malware, for example in Kelihos. Example in case of the above sample they use Delphi 7 application with the following modules included.
Code: Select all
As you can see they put random heavy-weight palette of components which automatically adds to resulting file tons of dead rtl code and resources (especially QuickReport).3701h Project1
4510h NMFtp
C700h System
8100h SysInit
0210h SysUtils
4B1Ch Windows
5510h Types
9D10h SysConst
5E10h Classes
2210h RTLConsts
331Ch Messages
4310h Variants
2410h VarUtils
5110h TypInfo
7310h ActiveX
8810h Psock
2A1Ch ShellAPI
A91Ch WinSock
9110h ExtCtrls
C710h Consts
A010h Dialogs
491Ch Dlgs
1610h Math
331Ch CommDlg
281Ch ShlObj
141Ch CommCtrl
BB1Ch RegStr
3F1Ch WinInet
EF1Ch UrlMon
2B10h Graphics
2610h Controls
B300h Forms
B010h Printers
571Ch WinSpool
8F10h FlatSB
DF10h StdActns
B810h Clipbrd
5910h StrUtils
4510h ActnList
7610h Menus
8710h Contnrs
CD10h ImgList
6410h StdCtrls
A510h WinHelpViewer
5210h HelpIntfs
C11Ch Imm
A510h MultiMon
CB10h NMConst
A710h WebAdapt
0410h AutoAdap
C310h WebDisp
3E10h WebConst
B610h WebScript
A210h CopyPrsr
BD10h WebComp
9810h WbmConst
5610h WebCntxt
3F10h HTTPApp
E810h BrkrConst
3D10h Masks
CA10h HTTPProd
1F10h SiteConst
C210h AscrLib
4610h ComObj
7110h ComConst
EC10h StdVCL
9E10h SiteComp
9810h WebContnrs
4010h WebScript_TLB
B010h WebAuto
C510h WebSess
5F10h DateUtils
4410h SessColn
0510h SyncObjs
A510h AdaptReq
2210h MidItems
1410h Provider
1D10h MidConst
7710h DBConsts
6110h DBCommon
6410h FMTBcd
B010h DB
3510h MaskUtils
7210h SqlTimSt
ED10h DataBkr
D110h Midas
C910h DBClient
E710h DSIntf
C110h DBWeb
5110h AutoDisp
4810h XMLBrokr
F310h PagItems
4E10h CompProd
9210h MidProd
B210h ScrptMgr
9C10h MidComp
1210h QuickRpt
5310h QRCtrls
6210h QRLablEd
6E10h ComCtrls
A510h ComStrs
0C10h ExtActns
3010h Mapi
B010h ExtDlgs
C210h Buttons
3810h Registry
DD10h IniFiles
971Ch RichEdit
8610h ToolWin
DF10h ListActns
A310h Mask
1810h QRExprEd
A510h QRExpBld
1810h QRPrntr
C210h QRPrev
D010h QR3Const
1710h DBTables
C310h bdeconst
9610h BDE
B810h SMINTF
D310h QRExtra
2A10h QRCompEd
0910h QRAbout
0D10h OleCtrls
1010h OleConst
C110h AxCtrls
1110h QREnvEd
C310h QRExpr
5810h Grids
DD10h QRPrnSu
1B10h QRPrgres
EE00h Unit1
And here is what all the skids from "security experts" analysing few weeks -> Form1.
Code: Select all
And there how it looks like -> // <DFM> TFORM1 = class(TForm);
object Form1: TForm1
Left = 483
Top = 195
Width = 604
Height = 450
AlphaBlend = True
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
OldCreateOrder = False
OnCreate = FormCreate
PixelsPerInch = 96
TextHeight = 13
object Image1: TImage
Left = 128
Top = 168
Width = 105
Height = 105
end
object Button2: TButton
Left = 96
Top = 256
Width = 75
Height = 25
Caption = 'Button2'
TabOrder = 0
end
object Button3: TButton
Left = 104
Top = 376
Width = 75
Height = 25
Caption = 'Button3'
TabOrder = 1
end
object CheckBox2: TCheckBox
Left = 96
Top = 304
Width = 97
Height = 17
Caption = 'CheckBox2'
TabOrder = 2
end
object Button1: TButton
Left = 72
Top = 32
Width = 75
Height = 25
Caption = 'Button1'
TabOrder = 3
end
object ComboBox1: TComboBox
Left = 416
Top = 128
Width = 145
Height = 21
ItemHeight = 13
TabOrder = 4
Text = 'ComboBox1'
end
object QRDBRichText1: TQRDBRichText
Left = 304
Top = 136
Width = 100
Height = 100
Frame.Color = clBlack
Frame.DrawTop = False
Frame.DrawBottom = False
Frame.DrawLeft = False
Frame.DrawRight = False
Size.Values = (
264.583333333333000000
804.333333333333000000
359.833333333333000000
264.583333333333000000)
Alignment = taLeftJustify
AutoStretch = False
Color = clWindow
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
end
object ImageList1: TImageList
Left = 240
Top = 304
end
object NMFTP1: TNMFTP
Port = 21
ReportLevel = 0
Vendor = 2411
ParseList = False
ProxyPort = 0
Passive = False
FirewallType = FTUser
FWAuthenticate = False
Left = 432
Top = 256
end
object EndUserAdapter1: TEndUserAdapter
Left = 296
Top = 120
object TAdapterDefaultActions
end
object TAdapterDefaultFields
end
end
object ColorDialog1: TColorDialog
Ctl3D = True
Left = 160
Top = 48
end
object FindDialog1: TFindDialog
Left = 144
Top = 152
end
end
You will never see it because payload is located in Form1.FormCreate method, which is called, as named, during Form1 create phase.
The absense of reverse-enginering skills is not a really problem. The problem is that all these so called "analysts" are just monkeys pushing buttons in their tools. They never were a programmers (and I hope will never be) and they don't know what they see. This forces them as skids generate tons of bullshit you can read in their articles.
Ring0 - the source of inspiration
:lol: :lol: :lol: :lol: :lol: :lol:
For these so-called "Security Experts"
For these so-called "Security Experts"
