Cylance vs. The Real World: Rombertik

Another day, another piece of malware that tries to evade detection. On May 4th, Cisco's TALOS Group blogged about an interesting new malware sample they dubbed Rombertik. Similar to the ever-popular Dyre malware, Rombertik at its core is a credential stealer designed to exfiltrate logins and sensitive information from a victim's web sessions.

So what makes it "interesting"? For starters, Rombertik is sandbox-aware. If it detects that it's being run in a virtualized environment, it attempts to evade detection not by merely sleeping, but in a novel way.

From the Cisco blog:

Rombertik instead writes a byte of random data to memory 960 million times. This is designed to consume time, like sleeping, but presents a couple disadvantages for sandboxes and application tracing tools. Sandboxes may not be able to immediately determine that the application is intentionally stalling since it’s not sleeping.

The other disadvantage is that the repetitive writing would flood application tracing tools. If an analysis tool attempted to log all of the 960 million write instructions, the log would grow to over 100 gigabytes. Even if the analysis environment was capable of handling a log that large, it would take over 25 minutes just to write that much data to a typical hard drive. This complicates analysis.

Another notable aspect of Rombertik is how it operates after it determines it isn't in a virtual environment. After it passes the sandbox test, Rombertik decrypts, establishes persistence, writes over itself and then checks to see if it's being analyzed in memory. If the malware determines that it IS being analyzed, it tries to delete the Master Boot Record or (if that fails) attempt to encrypt the contents of the user's home folder with a random RC4 key.

Clever Malware

Rombertik is just another example of how attackers continue to evolve their techniques in order to bypass detection technology. With every new iteration of security products, the attackers are right there to defeat them. Much like the genetically-engineered-to-be-female dinosaurs in Jurassic Park, when there's real financial stakes at play, the attackers will always find a way.


So What's The Solution?

Patching, educating users not to open suspicious attachments, filter email at the gateway better – you've heard it all before. "Blame the users" is the eternal IT/security scapegoat, it's been going strong since ARPANET was a thing. The REAL solution is to demand more from your security vendors. If bypassing a product is simply a matter of time, why even bother signing a three-year deal with a software security vendor? It'll be obsolete halfway through the contracted time period.

If lobbying your vendor to actually secure you seems like too much of a hassle, simply deploy CylancePROTECT in your environment. By throwing out the old methods, and instead leveraging machine learning techniques like artificial intelligence, we've taken an evolutionary leap forward in malware prevention. Without the limitations of traditional detection techniques, we have absolutely no problem detecting and blocking malware like Rombertik from day one.

Is CylancePROTECT a "silver bullet" solution? No. Does it exponentially raise the bar for attackers? Absolutely.

Want proof? Just watch this video:

Stuart McClure
CEO and Founder
Cylance, Inc.

P.S. We don't just stop the sample uncovered by Cisco, here's our technology detecting a slew of Rombertik variants all without having seen it before!