| ID | X0031 |
| Type | Information Stealer |
| Aliases | None |
| Platforms | Windows |
| Year | 2015 |
| Associated ATT&CK Software | None |
This family of malware steals data the user enters into a browser and uses a variety of behaviors to hinder analysis. [1]
| Name | Use |
|---|---|
| Execution::User Execution (E1204) | The malware relies on a victim to execute itself. [1] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | The malware will proceed to install itself in order to ensure persistence across system reboots before continuing on to execute the payload. To install itself, Rombertik first creates a VBS script named “fgf.vbs”, which is used to kick off Rombertik every time the user logs in, and places the script into the user’s Startup folder. [1] |
| Collection::Input Capture (E1056) | The malware injects itself into a browser and captures user input data. [1] |
| Impact::Data Destruction (E1485) | If a specific anti-analysis check fails, the malware will overwrite the Master Boot Record or the user's home folder. [1] |
| Collection::Keylogging::Polling (F0002.002) | Rombertik logs keystrokes via polling. [2] |
| Collection::Screen Capture::WinAPI (E1113.m01) | Rombertik captures screenshots. [2] |
| Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | Rombertik encodes data using XOR. [2] |
| Discovery::Application Window Discovery::Window Text (E1010.m01) | Rombertik gets graphical window texts. [2] |
| Impact::Clipboard Modification (E1510) | Rombertik replaces clipboard data. [2] |
| Discovery::File and Directory Discovery (E1083) | Rombertik gets file version info. [2] |
| Discovery::System Information Discovery (E1082) | Rombertik gets disk sizes. [2] |
| Execution::Command and Scripting Interpreter (E1059) | Rombertik accepts command line arguments. [2] |
| Name | Use |
|---|---|
| Anti-Static Analysis::Executable Code Obfuscation::Code Insertion (B0032.002) | Most of the malware file consists of unnecessary code or unnecessary data. [1] |
| Anti-Behavior Analysis::Dynamic Analysis Evasion::Data Flood (B0003.002) | The malware stalls by writing a byte of random data to memory 960 million times which complicates analysis. It also calls specific Windows API functions. [1] |
| Anti-Behavioral Analysis::Sandbox Detection::Test API Routines (B0007.010) | The malware checks for sandboxes that suppress errors returned from API routine calls the using ZwGetWriteWatch routine. [1] |
| Anti-Behavioral Analysis::Debugger Detection::OutputDebugString (B0001.016) | The malware calls the Windows API OutputDebugString function 335,000 times. [1] |
| Anti-Behavior Analysis::Debugger Detection::Check Processes (B0001.038) | An anti-analysis function within the packer is called to check the username and filename of the executing process for strings like “malwar”, “sampl”, “viru”, and “sandb”. [1] |
| Anti-Behavioral Anlaysis::Dynamic Analysis Evasion::Code Integrity Check (B0003.011) | The function computes a 32-bit hash of a resource in memory and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. [1] |
| Command and Control::C2 Communication::Send Data (B0030.001) | The malware sends data to the C2. [1] [2] |
| Command And Control::C2 Communication::Receive Data (B0030.002) | Rombertik receives data. [2] |
| Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032) | Rombertik checks for time delay via GetTickCount. [2] |
| Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation (B0012.001) | Rombertik contains obfuscated stack strings. [2] |
| Communication::Socket Communication::Create TCP Socket (C0001.011) | Rombertik creates TCP sockets. [2] |
| Cryptography::Encrypt Data::RC4 (C0027.009) | Rombertik encrypts data using RC4 PRGA. [2] |
| Cryptography::Encryption Key::RC4 KSA (C0028.002) | Rombertik encrypts data using RC4 KSA. [2] |
| Data::Encode Data::XOR (C0026.002) | Rombertik encodes data using XOR. [2] |
| File System::Delete File (C0047) | Rombertik deletes files. [2] |
| File System::Read File (C0051) | Rombertik reads files on Windows. [2] |
| File System::Write File (C0052) | Rombertik writes files on Windows. [2] |
| Memory::Allocate Memory (C0007) | Rombertik allocates RWX memory. [2] |
| Operating System::Registry::Delete Registry Key (C0036.002) | Rombertik deletes registry keys. [2] |
| Operating System::Registry::Query Registry Value (C0036.006) | Rombertik queries or enumerates registry values. [2] |
| Operating System::Registry::Set Registry Key (C0036.001) | Rombertik sets registry values. [2] |
| Process::Create Mutex (C0042) | Rombertik creates a mutex. [2] |
| Process::Create Thread (C0038) | Rombertik creates a thread. [2] |
| Process::Set Thread Local Storage Value (C0041) | Rombertik sets thread local storage values. [2] |
SHA256 Hashes
- 0d11a13f54d6003a51b77df355c6aa9b1d9867a5af7661745882b61d9b75bccf
- 77bacb44132eba894ff4cb9c8aa50c3e9c6a26a08f93168f65c48571fdf48e2a
Command-and-Control Servers
[1] https://blogs.cisco.com/security/talos/rombertik
[2] capa v4.0, analyzed at MITRE on 10/12/2022