A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25805  by EP_X0FF
 Wed May 06, 2015 4:22 am
overwrite the MBR, it will instead destroy all files in the user’s home folder (e.g. C:\Documents and Settings\Administrator\)
Stop using Windows XP and ancient computers with BIOS.
 #25808  by Intimacygel
 Wed May 06, 2015 2:38 pm
This is blowing up in the media for like no reason. It's not even that scary or innovative.

Here is an unpacked sample
Attachments
infected
(10.93 KiB) Downloaded 108 times
 #25820  by EP_X0FF
 Fri May 08, 2015 8:24 am
Finally got some "willing" to look on this.

What can I say.

HOLY FUCK.

It is Delphi dropper with perun dll inside.
In this case, the unpacked Rombertik sample is 28KB while the packed version is 1264KB. Over 97% of the packed file is dedicated to making the file look legitimate by including 75 images and over 8000 functions that are never used.
From where did you get out Ben Baker and Alex Chiu? Two idiots never saw Delphi apps? Or maybe two idiots never know how to join something with Delphi app? :) This work is definitely not for you.

Talos Group? How about re-branding to Phallus Group? :D Fully describes their level of the sophistication and professionalism.

Guess what this "super malware" level of hackforums does? It drops VBS script of the following ultimate code
Code: Select all
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "C:\Documents and Settings\User\Application Data\rsr\yfoye.bat" & Chr(34), 0
Set WshShell = Nothing
to "AUTORUN" folder, drops bat and copy of itself to AppData\rsr folder. Next it runs in background as PROCESS and waits in loop for browsers popup in process list. Next when browser "firefox/chrome" found it injects this super dll written in VS 2010 with CreateRemoteThread and performs ring3 HOOKING of several API's. Wow, never seen before.

Depending on browser it will hook:

chrome
Ws2_32!WSASend

firefox
kernel32!CreateFileW
Wininet!HttpSendRequestW

It implemented so buggy (madskillz hooks) so it never work for me resulting in browsers crash.

Next comedy part - so called "anti-analysis".

Under this comedy statement is hidden simple CRC32 check this malware does over it resource. This is made to prevent hex-editing. If something wrong it will do described mbr overwrite and files encryption. Will work on Windows XP. That's all anti-analysis. Yes, that's all.

It is common trend of last few years when team of unknown monkeys and script-kiddies are poping up from nowhere with "security researches" about "ultimate super-duper" malware. Sort of legalized fraud. So they just a kind of cybercriminals itself -> Ben Baker and Alex Chiu from Phallus Group, remember them, I think it's beginning of their professional career.


Image
 #25823  by robemtnez
 Fri May 08, 2015 1:17 pm
So no anti-debuging or sandbox analysis detection at all with machine mass destruction? :roll:
 #25824  by EP_X0FF
 Fri May 08, 2015 3:19 pm
robemtnez wrote:So no anti-debuging or sandbox analysis detection at all with machine mass destruction? :roll:
Does it looks like this? Malwr running on VirtualBox open for any detection.
https://malwr.com/analysis/ZDA0ZTkzNTI5NGVhNDZmZDhmMWU1MjNlMjNjYzZkMTg/

I can tell you why and where this scary machine "destruction" will only take place.

This so called anti-analysis is a protection from smart script-kiddies who know how to use in memory hex-editor and can change bot configuration (server name for example from hxxp://www.centozos.org.in to mysuperdomain.com). Configuration stored inside this small dll as resources in RCDATA (this dll is actually executable - you can run it just like you run any exe and it will work). Here also stored block of keys used to decrypt configuration. This malware check checksum of 1006 resource and if something bad happened -> CRC32 != 0x0E1A63B9 -> wow we are under hacking attempt - wipe MBR etc. Ultra super advanced technology.

People who did this "analysis" are script-kiddies with IDA Pro at hand which used only for screenshoting of Delphi VCL runtime call graph, facepalm.

So basically all these mass media monkeys are lying you. Well, just like they should by design and purpose.