Skip to content

Latest commit

 

History

History
110 lines (92 loc) · 9.43 KB

rombertik.md

File metadata and controls

110 lines (92 loc) · 9.43 KB
ID X0031
Aliases None
Platforms Windows
Year 2015
Associated ATT&CK Software None

Rombertik

This family of malware steals data the user enters into a browser and uses a variety of behaviors to hinder analysis. [1]

ATT&CK Techniques

Name Use
Initial Access::Phishing::Spearphishing Attachment (T1566.001) The malware is sent out to victims via an attachment. [1]
Persistence::Boot or Logon Autostart Execution (T1547) The malware starts everytime a user logs in. [1]
Defense Evasion::Deobfuscate/Decode Files or Information (T1140) The malware will unpack its code in memory. [1]
Impact::Disk Wipe (T1561) If a specific anti-analysis check fails, the malware will overwrite the Master Boot Record or the user's home folder. [1]
Command and Control::Data Encoding::Standard Encoding (T1132.001) The malware transmits Base64 encoded data to C2. [1]
Command and Control::Application Layer Protocol::Web Protocols (T1071.001) The malware transmits data over HTTP. [1]
Collection::Clipboard Data (T1115) Rombertik reads clipboard data. [2]
Defense Evasion::Hide Artifacts::Hidden Window (T1564.003) Rombertik hides graphical windows. [2]
Discovery::Account Discovery (T1087) Rombertik gets a session user name. [2]
Discovery::Application Window Discovery (T1010) Rombertik enumerates GUI resources. [2]
Discovery::Process Discovery (T1057) Rombertik gets process heap force flags. [2]
Discovery::System Location Discovery (T1614) Rombertik gets geographical locations. [2]
Discovery::System Location Discovery::System Language Discovery (T1614.001) Rombertik gets keyboard layout. [2]
Execution::Shared Modules (T1129) Rombertik accesses PEB ldr_data. [2]

Enhanced ATT&CK Techniques

Name Use
Execution::User Execution (E1204) The malware relies on a victim to execute itself. [1]
Persistence::Registry Run Keys / Startup Folder (F0012) The malware will proceed to install itself in order to ensure persistence across system reboots before continuing on to execute the payload. To install itself, Rombertik first creates a VBS script named “fgf.vbs”, which is used to kick off Rombertik every time the user logs in, and places the script into the user’s Startup folder. [1]
Collection::Input Capture (E1056) The malware injects itself into a browser and captures user input data. [1]
Impact::Data Destruction (E1485) If a specific anti-analysis check fails, the malware will overwrite the Master Boot Record or the user's home folder. [1]
Collection::Keylogging::Polling (F0002.002) Rombertik logs keystrokes via polling. [2]
Collection::Screen Capture::WinAPI (E1113.m01) Rombertik captures screenshots. [2]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) Rombertik encodes data using XOR. [2]
Discovery::Application Window Discovery::Window Text (E1010.m01) Rombertik gets graphical window texts. [2]
Impact::Clipboard Modification (E1510) Rombertik replaces clipboard data. [2]
Discovery::File and Directory Discovery (E1083) Rombertik gets file version info. [2]
Discovery::System Information Discovery (E1082) Rombertik gets disk sizes. [2]
Execution::Command and Scripting Interpreter (E1059) Rombertik accepts command line arguments. [2]

MBC Behaviors

Name Use
Anti-Static Analysis::Executable Code Obfuscation::Code Insertion (B0032.002) Most of the malware file consists of unnecessary code or unnecessary data. [1]
Anti-Behavior Analysis::Dynamic Analysis Evasion::Data Flood (B0003.002) The malware stalls by writing a byte of random data to memory 960 million times which complicates analysis. It also calls specific Windows API functions. [1]
Anti-Behavioral Analysis::Sandbox Detection::Test API Routines (B0007.010) The malware checks for sandboxes that suppress errors returned from API routine calls the using ZwGetWriteWatch routine. [1]
Anti-Behavioral Analysis::Debugger Detection::OutputDebugString (B0001.016) The malware calls the Windows API OutputDebugString function 335,000 times. [1]
Anti-Behavior Analysis::Debugger Detection::Check Processes (B0001.038) An anti-analysis function within the packer is called to check the username and filename of the executing process for strings like “malwar”, “sampl”, “viru”, and “sandb”. [1]
Anti-Behavioral Anlaysis::Dynamic Analysis Evasion::Code Integrity Check (B0003.011) The function computes a 32-bit hash of a resource in memory and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. [1]
Command and Control::C2 Communication::Send Data (B0030.001) The malware sends data to the C2. [1] [2]
Command And Control::C2 Communication::Receive Data (B0030.002) Rombertik receives data. [2]
Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032) Rombertik checks for time delay via GetTickCount. [2]
Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation (B0012.001) Rombertik contains obfuscated stack strings. [2]
Communication::Socket Communication::Create TCP Socket (C0001.011) Rombertik creates TCP sockets. [2]
Cryptography::Encrypt Data::RC4 (C0027.009) Rombertik encrypts data using RC4 PRGA. [2]
Cryptography::Encryption Key::RC4 KSA (C0028.002) Rombertik encrypts data using RC4 KSA. [2]
Data::Encode Data::XOR (C0026.002) Rombertik encodes data using XOR. [2]
File System::Delete File (C0047) Rombertik deletes files. [2]
File System::Read File (C0051) Rombertik reads files on Windows. [2]
File System::Write File (C0052) Rombertik writes files on Windows. [2]
Memory::Allocate Memory (C0007) Rombertik allocates RWX memory. [2]
Operating System::Registry::Delete Registry Key (C0036.002) Rombertik deletes registry keys. [2]
Operating System::Registry::Query Registry Value (C0036.006) Rombertik queries or enumerates registry values. [2]
Operating System::Registry::Set Registry Key (C0036.001) Rombertik sets registry values. [2]
Process::Create Mutex (C0042) Rombertik creates a mutex. [2]
Process::Create Thread (C0038) Rombertik creates a thread. [2]
Process::Set Thread Local Storage Value (C0041) Rombertik sets thread local storage values. [2]

Indicators of Compromise

SHA256 Hashes

  • 0d11a13f54d6003a51b77df355c6aa9b1d9867a5af7661745882b61d9b75bccf
  • 77bacb44132eba894ff4cb9c8aa50c3e9c6a26a08f93168f65c48571fdf48e2a

Command-and-Control Servers

References

[1] https://blogs.cisco.com/security/talos/rombertik

[2] capa v4.0, analyzed at MITRE on 10/12/2022