Just because a malware sample is a sophisticated doomsday device doesn't necessarily mean the adversary using that malware is a sophisticated attacker bent on destroying the earth. That "adversary intelligence" -- knowledge about the adversary's capability and intent -- is essential to making decisions about how to properly prioritize and defend against threats, according to research released this week by ThreatConnect.
Last month, researchers at Cisco Talos, Symantec, and BlueCoat Labs were all digging into Rombertik (a.k.a. Carbon Grabber), malware that had, among other things, impressive anti-analysis capabilities -- it would destroy the master boot record if it detected it was being analyzed or debugged (or, as Symantec theorized, possibly if the Rombertik authors detected that their criminal customers were trying to exceed the permissions of their Rombertik licensing agreement).
Sophisticated tech. Very desirable for anyone who wants to keep nosy security teams and forensics investigators at bay. However, when ThreatConnect started to poke around to learn more about the adversary using Rombertik, they discovered that he wasn't nearly as discreet as his malware would indicate.
"It wasn't hard in any way to figure out his intent," says Rich Barger, chief intelligence officer of ThreatConnect.
The goal, says Barger, was "get rich quick." And the culprit was 30-year-old Kayode Ogundokun, a.k.a "KallySky," from Lagos, Nigeria -- a city with a growing wealthy class driven by the get-rich spirit. He was very active on Facebook, Twitter, LinkedIn, Blogger, and on YouTube, where he gave tutorials on using some of these attack tools.
According to ThreatConnect, "In fact, Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering his tracks have been minimal to non-existent."
In his YouTube tutorials not only does KallySky recklessly share his email address and phone number, but he even reveals passwords in cleartext and shares his bank account information. According to ThreatConnect "his tutorials clearly underscore his lackluster technical prowess." Also:
Ogundokun’s skillset appears to be limited to using commodity RATs and Botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes.
The TCIRT assesses that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently sold or licensed it to the less capable operator. ... It appears as if this particular sample of Carbon Grabber was simply caught up in a headline grabbing story."
"Rombertik was 'the end of the Internet as we know it,'" says Barger, "and with new knowledge, we could shift that and say, this isn't the threat we thought."
Barger says that this kind of adversary intelligence can help security teams decide whether they really should drop everything and rush to address a new threat that moment, or if they should approach it differently. "We can start making better decisions," he says, "at a technical level, but also at a strategic level."
There have been some debates within the security community about the importance, or lack thereof, of attribution -- who committed the attack. "That story can sometimes take years to develop," says Barger, but "We're attributing things all the time. It's just different levels of attribution."
Although knowing the precise threat actor may take a long time, he says there is value to knowing some general information about the adversary's capabilities and intent -- and sketching out those basics and "chasing down the hype" may not take very long.
"It really depends," says Barger. "Some of them are really disciplined in terms of their [operational security]," and the cooperation of ISPs, national authorities, and other organizations can also affect how long it takes to develop the intelligence.
Barger says that there is demand for this information. When the security team has to report that the organization has been compromised, "The boss always wants to know [by] who."