Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Rombertik, a complex malware that also wipes hard drive to prevent analysis

Rombertik is the name of a high sophisticated strain of malware spotted by the researcher of the Cisco Talos Team, it wipes hard drive to prevent analysis. Security experts have uncovered new strain of malware dubbed Rombertik malware that implements high sophisticated evasion detection technique and analysis, it also includes the ability to delete victim’s […]

Rombertik, a complex malware that also wipes hard drive to prevent analysis

Rombertik is the name of a high sophisticated strain of malware spotted by the researcher of the Cisco Talos Team, it wipes hard drive to prevent analysis.

Security experts have uncovered new strain of malware dubbed Rombertik malware that implements high sophisticated evasion detection technique and analysis, it also includes the ability to delete victim’s hard drive data and making the computer unusable.

“There is a new kid on the block” and no one knows it, it’s super secretive and takes measures to evade detection and analysis, and if needed will delete all the hard drive of the victim, and it is called Rombertik.”

Rombertik was discovered by the experts of the Cisco Talos Group, it is a very complex software that collects all the info about what the user is doing on the Web, with the aim of gathering login credentials and other sensitive data.

The attack chain is quite similar to the one of other malware, it is served via malicious emails as explained by the researchers.

Rombertik email-screenshot-watermarked

Talos experts have reverse engineered the Rombertik agent and found out what the malware does, which includes multiple levels of obfuscation, anti-malware analysis, and as a last resort will self-destruct taking with it all the content of the hard drive.

 “Once the unpacked version of Rombertik within the second copy of yfoye.exe begins executing, one last anti-analysis function is run — which turns out to be particularly nasty if the check fails. The function computes a 32-bit hash of a resource in memory, and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. It first attempts to overwrite the Master Boot Record (MBR) of PhysicalDisk0, which renders the computer inoperable. If the malware does not have permissions to overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\) by encrypting each file with a randomly generated RC4 key. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted.” explained the Talos researchers Ben Baker and Alex Chiu.“The Master Boot Record starts with code that is executed before the Operating System. The overwritten MBR contains code to print out “Carbon crack attempt, failed”, then enters an infinite loop preventing the system from continuing to boot.”

The researchers verified that the MBR also contains data related the disk partition, this means that when the malware changes the MBR it will also set the bytes of the partition to Null making it difficult to a forensics expert to access data. When the PC is rebooted the victim will be stuck in the following screen.

Rombertik 2

“Effectively, Rombertik begins to behave like a wiper malware sample, trashing the user’s computer if it detects it’s being analyzed. While Talos has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis.”

This is for sure a complex malware, that will make the life of IT professionals even more difficult, but the best defense to prevent it is using good security practices, such as checking if the antivirus is up to date, not opening emails from people you don’t know, avoid checking or SPAM folder etc. etc., the normal advices that everyone should know.

The complete analysis published by the Talos Group is available here.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – Rombertik , malware)