Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150904-274-SentinelOne Rombertik
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 04 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report is based on a brief blog entry from SentinelOne, an end-point protection
company, on a malicious threat known as Rombertik. Rombertik takes the extreme action of
wiping the victim’s MBR upon detection of sandboxes or analysis functions such as debuggers.
(S//NF) Rombertik is heavily obfuscated, employing layered obfuscation techniques and anti-
analysis methods. The malware uses an exorbitant amount of “junk” code to make static analysis
difficult. In fact, the SentinelOne authors claim that 97% of the packed Rombertik file is junk
instructions.
(S//NF) The report goes on to state that they’ve seen advanced anti-static analysis techniques
involving just-in-time de-obfuscation at runtime, but they don’t specifically say they’ve seen
Rombertik using such techniques.
(S//NF) Rombertik is distributed as zipped .SRC files in an attempt to hide the fact that it’s an
executable. Of course, Windows handles .SRC files as executables.
(S//NF) The remainder of the report is primarily screenshots from SentinelOne’s end-point
protection application with discussions on how effective their product is at detecting and dealing
with the type of threat represented by Rombertik.
(S//NF) Because of the lack of technical details relating to implementation, no PoCs are
recommended from this report.
2.0 (U) Description of the Technique
(S//NF) Not applicable because no PoCs are recommended.
3.0 (U) Identification of Affected Applications
(U) Windows.
4.0 (U) Related Techniques
(S//NF) Obfuscation, anti-analysis, covert action.
5.0 (U) Configurable Parameters
(U) Varied.
6.0 (U) Exploitation Method and Vectors
(S//NF) No exploitation methods were discussed in this report. The implied attack vector is
social engineering involving zipped files.