Every now and again a piece of malware comes along that grabs the attention of experts and journalists. Rombertik – discovered in recent days by Cisco Systems – is one such example, largely because of its determination to evade detection by the army of security researchers that hunt for advanced malware and extraordinary vindictiveness if and when it is discovered. Rombertik is data-stealing malware aimed at enterprises but handling it carefully is wise if its latent destructiveness is to be neutralised.
We decided to get the opinion of Kevin Epstein, vice president of advanced security and governance at SaaS firm Proofpoint who has analysed one of the year’s most curious threats. Our conclusion is that while Rombertik appears unusual in some respects it is far from the terrifying threat some have suggested. It's more a question of detecting and quarantining it carefully.
Techworld: Rombertik looks like an unusual piece of malware but what is its primary purpose?
Epstein: Rombertik is general-purpose browser spyware; it is malware designed to hook into browser transactions to read credentials such as email or banking or other systems username/password combinations, and deliver those credentials to the attackers' server.
Techworld: How easily does it spread and find victims?
Epstein: Rombertik as yet is not organic, nor an AI; it doesn't spread itself or find victims, it's a tool for attackers. Attackers find victims quite easily, via black market purchase of organisational charts and corporate email address books.
Techworld: Is this being aimed at consumers, businesses or both? It is a global threat or a localised one?
Epstein: Rombertik seems to be largely used by attackers of corporate entities (see Proofpoint's Human Factor report) but it could be used to siphon consumer banking logins as easily, the question is purely one of return-on-investment for the attackers. It is clearly a global threat.
Techworld: It steals data but it has another side to its personality aimed at security researchers, right?
Epstein: Malware has increasingly been designed to avoid detection - to look around at its environment and not trigger if it's in an automated detection system such as a 'sandbox'. Rombertik takes this a step further, actively destroying the Master Boot Record (MBR) of the hard drive of the system on which it resides, and/or permanently encrypting all user data files, if Rombertik believes it's being probed by a defender. This is vaguely reminiscent of Mission Impossible's 'this recording will self-destruct in 20 seconds.
Techworld: It also tries to beat browser sandboxing. How innovative is this behaviour and do you think it will be successful?
Epstein: Sandbox-avoidance behaviour is well-documented and continues to evolve. Rombertik does not display any unusually innovative evasion beyond the self-destruct mechanism - which is a new variant.
Techworld: The malware writers have a cat and mouse relationship with researchers but is actually targeting researchers unusual?
Epstein: Rombertik doesn't appear to be 'targeting' researchers per se - rather, it's displaying a less-passive approach to discovery. If it were a human virus, it'd be one of those that actively resisted antibiotics and did more damage if treated with the wrong drug.
Techworld: It steals data from browsers, for example logins, before HTTPS is established. It is just hunting for useful data in a speculative way?
Epstein: It could be thought of as speculative, or 'general purpose' - all logins are useful and of monetary value to someone.
Techworld: What is its motive and do you think it is purely crimeware or perhaps ideologically-related?
Epstein: Rombertik seems to be largely used by attackers of corporate entities and the motivation is financial at this time. But like any tool, it could be used by ideologically-motivated attackers to steal logins to systems they'd wish to compromise for such reasons.
Techworld: If you detect Rombertik is there a way to dodge its destructiveness?
Epstein: The payload is not destructive; Rombertik is designed to hide and capture credentials. It only causes damage if it senses it's being discovered in a specific way, at which point it self-destructs, taking the computer system and data with it. If you have detected it without triggering it, you can remove its executable files with a standard set of file deletions.
Techworld: Beyond obvious defences such as anti-virus how can businesses and individuals defend themselves against Rombertik?
Epstein: Since Rombertik is very sensitive to classic, reactive sandboxing, it's crucial to use modern, predictive defence systems that don't wait for a user to click to trigger a potential download of Rombertik. Furthermore, since the malware can be delivered via multiple vectors - like Dyre, via URLs or .Doc files or .zip/exe etc - it's crucial to use systems that examine the whole killchain, and block users' access to emailed URLs and attachments before they can be clicked by end users. Lastly, since the 'self-destruct' aspects of Rombertik can be triggered by legacy antivirus technologies, it's crucial that organisations utilise automated threat response systems that can pinpoint and block data exfiltration by Rombertik without triggering action on the PC, and alert security teams to respond quickly before damage is done.