Rombertik: what you should know about the evolution of destructive malware

Protecting yourself against malware that's aware of anti-virus programs and can self destruct to avoid detection is tricky, says Corey Nachreiner.

Corey Nachreiner
Corey Nachreiner

In May, Cisco's Talos group published a blog about a new strain of destructive malware called Rombertik. In many ways, Rombertik is similar to other destructive malware variants in that it propagates through spam and spear-phishing messages. Attackers use social engineering tactics to convince unsuspecting users to download and open a malicious PDF attachment that ultimately forces malware onto the victim's computer, and sinks its hooks into their browser. Once latched in, Rombertik reads login credentials to visited sites and other sensitive information, and takes control of the browser, similar to the Dyre malware that targeted the banking industry last year.

But here is where things get interesting. Rombertik is designed to self-destruct upon discovery by anti-virus software as a means of defending itself against detection. In other words, while it's possible to detect Rombertik in your system, this “self-destruct” mechanism makes it incredibly difficult to deploy quarantine or removal countermeasures. When detected and analysed, Rombertik deliberately corrupts the machine's master boot record (MBR). The MBR is where crucial details such as the location of files and the disk partition layout reside, creating the potential for the infected machine's disk – and everything on it – to be rendered useless once it's been rebooted. In addition, Rombertik has the ability to evade Advanced Persistent Threat (APT) mitigation techniques such as “sandboxing,” by tricking the APT tool into thinking it's working on a legitimate function.

 Ransomware – malware that restricts or encrypts access to a computer or its information in exchange for payment – has been around in one form or another for more than two decades, but its activity has exploded in recent years. With Rombertik, we are now seeing a new hybrid of ransomware and destructive malware.

However, there are actions any business can take to reduce the risk of becoming a victim of Rombertik. And the good news is, they're no more difficult than following the common sense rules that apply to avoiding any other malware. Here are some easy steps you can take to increase your protection strategy.

Back up your data.

Since one of the main objectives of destructive malware is to take out infected machines and the data that resides on them, making regular backups of that data is a must. Simplify and automate your backup systems so your staff is more likely to use them. Create data partitions with automated backup and use offline and encrypted backups for critical files. No matter how sophisticated your security, nothing is perfect. One day, you will be breached, so you need to design your internal network with this inevitability in mind. In addition to backing up your data, have a pre-written disaster recovery plan and ensure systems are in place so operations can continue even if the worst happens.

Don't rely on signature-based antivirus (AV).

While Rombertik is specifically targeting APT measures such as sandboxing, they're still the best way for IT administrators to watch how a piece of malware behaves, away from the network. Advanced threat actors have become extremely sophisticated and regularly create evasive malware designed to get past signature-based AV solutions. This means someone has to find the malware before you have a signature to protect against it. APT solutions detonate potential malware and use behaviours to immediately identify previously unknown, zero-day malware. If you rely only on AV protection, consider yourself infected.

Leverage network-based and host-based security controls.

Host-based protection provides a degree of compartmentalisation within the network, protecting each host from its neighbours, and vice versa. Host-based firewalls can protect the host from zero-day exploits, and can also block unauthorised outgoing traffic from the host. This means that even if a host is infected by malware, it cannot spread the infection to the rest of the infrastructure. However, network-based security controls have the ability to intercept and analyse malware before it ever reaches the host computer, essentially running the file somewhere else beside the user's machine. It's important for your infrastructure to have both.

Rombertik, like any type of destructive malware, requires a layered, defence-in-depth approach – it requires you to have defences for each link in the Cyber Kill Chain. By including the benefits of next-generation firewalls and unified threat management strategies, you'll be better prepared to thwart hackers, even as their attack vectors evolve.

Contributed by Corey Nachreiner, chief technology officer (CTO), WatchGuard