Skip to main content

Meet the Rombertik, the malware that self-destructs when discovered

Hard to believe that a malware can cause so much havoc.
Hard to believe that a malware can cause so much havoc.

Researchers at the Cisco-owned Talos Security Intelligence and Research Group have discovered a piece of malware, named Rombertik, that can best be described as exhibiting kleptomaniac and suicidal behaviours.

Ben Baker and Alex Chiu, who were part of the team that unearthed Rombertik, found out that this malware lives on the victim's browser, in a way similar to a parasite, and exfiltrates login details and other sensitive piece of information to an external server.

The data capture occurs at the source itself, i.e. as the target enters it in the browser, before the information is encrypted and sent over HTTPS.

While its propagation methods remains remarkably simple, relying mostly on social engineering and the gullibility of the weakest link in the system (i.e. human beings), it is what follows afterwards that makes it interesting.

"If the sample detected that it was being analysed or debugged it would ultimately destroy the master boot record [MBR]" wrote the pair.

A nasty piece of bits

Doing so just makes your computer unusable forcing you to reinstall your operating system altogether. If the malware doesn't have the permission do that, it will encrypt the home folder and restart your computer.

That is not a new behaviour remarked David Emm, Principal Security Researcher at Kaspersky Lab. ""Trashing sections of a hard disk, or corrupting data was quite common in the 1990s - that was a time when the threat landscape was dominated by cyber-vandalism e.g. Michelangelo, Dark Avenger, Maltese Amoeba, Chernobyl. Equally, it's an approach that has been employed more recently by 'wipers' (e.g. Shamoon) to sabotage infected systems. Likewise, encrypting data, while used in 'old school' attacks for mischief (e.g. One-half) has become a key feature in today's ransomware programs."

Making sure that your antivirus software is installed and up to date, that you don't click on suspicious attachments and block certain types will go a long way to protect yourself.

Source: Cisco's Talos

Desire Athow

Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology in a career spanning four decades. Following an eight-year stint at where he discovered the joys of global techfests, Désiré now heads up TechRadar Pro. He has an affinity for anything hardware and staunchly refuses to stop writing reviews of obscure products or cover niche B2B software-as-a-service providers.