Researchers from the Cisco-led TALOS Research Group identified the Rombertik Malware as a “multi- layered anti-analysis” malware. On top of its regular functionality, its most famous feature is a self-destruction mechanism, which wipes out the Master Boot Record on the file system. While wiping mechanisms, sided with evasion techniques, are a common sight in the current threat landscape, the TALOS team’s discovery was nevertheless received as somewhat of a surprise.
Two interesting, more general trends can better help explain the appearance of stealthier and more violent malware. First, and more visible, is the growth in security research resources at medium-sized businesses. One popular trend is the widespread distribution of malware-sandboxing tools. What were once the exclusive domain of high-end AV labs, are now deployed with most malware analysis services. While achieving improved results against known threats, without the specific knowledge required to utilize sandboxing insights into the greater attack-chain context, it is nearly impossible to identify unknown attack vectors. The second trend, mostly hidden from the public eye, is the fall of significant cyber-attack arrays over the past few years. Given names like “The Equation Group” and “Operation Deep Panda”, representing deconstructed state-sponsored units and campaigns, usually fail to convey the destructive consequences to an attack group being discovered and pulled apart. Think of all the labor put into creating and deploying the exposed pieces of malware and begin to understand the damage of losing such a significant cyber asset.
The direct implication of these trends, which are causing attackers to lose high-valued tools and techniques, is the gradual appearance of more detection-aware variants with more violent evasion abilities. In that context, it is easier to see the Rombertik MBR wipe module as more of a form of cyber insurance, rather than a cyber-weapon.
The question that remains is “why does Rombertik, a general-purpose browser spyware, contain such a vast layer of self-protection?” Well folks, here the answer is much simpler: Reconnaissance. As we have discussed many times in the past, it is only through the collection of personal information (emails, passwords, personal details) that attackers are successfully turning their initial grip on your networks into a more fruitful (or lucrative) operations.