Dubbed Rombertik, which is "unique" among other self-destructing malware samples due to its unique evasion techniques. As soon as any analysis tool is detected, Rombertik attempts to delete the device's Master Boot Record (MBR) and home directories, making the machine constantly restart.
Rombertik is a complex piece of spyware designed to "indiscriminately" collect everything a user does online in order to obtain victim’s login credentials and other confidential information.
Infects users via Phishing campaign:
Rombertik typically gets installed on vulnerable machines when users click on malicious attachments included in phishing emails, Cisco security researchers Ben Baker and Alex Chiu said in a blog post Monday.
Once loaded into the system, Rombertik first runs a series of anti-analysis checks to determine if it is running within a sandbox.
In case it isn’t running within the sandbox, Rombertik decrypts and installs itself on the victim's machine, which then allows the malware to launch a second copy of itself and overwrite the second copy with the malware's core spying functionality.
Read Full Article