Researchers at Blue Coat analyzed a new threat, called “Rombertik,” and believe that it is being used as an “obfuscating wrapper” to hide other malware attacks.
Earlier this week, Cisco identified Rombertik as malware capable of destroying the master boot record (MBR) of targeted devices when analysis tools are detected. Spread through spam and phishing emails, the malware’s ultimate aim was to capture users’ information by injecting itself into the Firefox, Chrome or Internet Explorer browser process and hooking API functions that handle plain-text data.
After further analysis of the threat, Blue Coat shared in a Thursday blog post that Rombertik was “not actual standalone malware at all,” but used to conceal crimeware. Rombertik samples it analyzed, for instance, appeared to be used as an obfuscating wrapper for the DarkComet RAT, a password stealer (potentially Pony Loader) and Andromeda malware.