Sign up to our newsletter
The Rombertik spyware, detected by ESET as Win32/Spy.Agent.OLJ.
Researchers at Cisco discovered that after arriving on a user’s computer via a phishing campaign or through an email attachment, the malware conducts checks to see if it is running within a sandbox. If this check passes, ZDNet explains, it decrypts itself and launches on a victim’s computer. Once this is done, a second copy of itself launches and is overwritten with the spying functionality.
However before the core-spying activity begins, Rombertik does a final check to see if it is being analyzed in the system’s memory. If detected, Rombertik takes the step of wiping out the computer’s master boot record. If this step fails, it targets all files in the user’s home folder, by encrypting each one with random RC4 keys.
Although, it’s been said that the malware “destroys” your computer, the chances of hiting a regular user’s computer are not high, as noted by Graham Cluley and the damage is related to erasing the MBR.
However, the best defense against Rombertik is an adherence to security basics: up-to-date security software, avoiding attachments from unknown senders and solid security policies for businesses will all help avoid the malware, which is said to have low infection rates as things stand.
Author Alan Martin, ESET