Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

'Adversary Intelligence' Finds Criminals Not As Smart As Their Code

The adversary using the stealthy Rombertik malware wasn't nearly as stealthy.

Just because a malware sample is a sophisticated doomsday device doesn't necessarily mean the adversary using that malware is a sophisticated attacker bent on destroying the earth. That "adversary intelligence" -- knowledge about the adversary's capability and intent -- is essential to making decisions about how to properly prioritize and defend against threats, according to research released this week by ThreatConnect

Last month, researchers at Cisco Talos, Symantec, and BlueCoat Labs were all digging into Rombertik (a.k.a. Carbon Grabber), malware that had, among other things, impressive anti-analysis capabilities -- it would destroy the master boot record if it detected it was being analyzed or debugged (or, as Symantec theorized, possibly if the Rombertik authors detected that their criminal customers were trying to exceed the permissions of their Rombertik licensing agreement).

Sophisticated tech. Very desirable for anyone who wants to keep nosy security teams and forensics investigators at bay. However, when ThreatConnect started to poke around to learn more about the adversary using Rombertik, they discovered that he wasn't nearly as discreet as his malware would indicate.

"It wasn't hard in any way to figure out his intent," says Rich Barger, chief intelligence officer of ThreatConnect.

The goal, says Barger, was "get rich quick." And the culprit was 30-year-old Kayode Ogundokun, a.k.a "KallySky," from Lagos, Nigeria -- a city with a growing wealthy class driven by the get-rich spirit. He was very active on Facebook, Twitter, LinkedIn, Blogger, and on YouTube, where he gave tutorials on using some of these attack tools.

According to ThreatConnect, "In fact, Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering his tracks have been minimal to non-existent."

In his YouTube tutorials not only does KallySky recklessly share his email address and phone number, but he even reveals passwords in cleartext and shares his bank account information. According to ThreatConnect "his tutorials clearly underscore his lackluster technical prowess." Also:

Ogundokun’s skillset appears to be limited to using commodity RATs and Botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes.

The TCIRT assesses that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently sold or licensed it to the less capable operator. ... It appears as if this particular sample of Carbon Grabber was simply caught up in a headline grabbing story."

"Rombertik was 'the end of the Internet as we know it,'" says Barger, "and with new knowledge, we could shift that and say, this isn't the threat we thought."

Barger says that this kind of adversary intelligence can help security teams decide whether they really should drop everything and rush to address a new threat that moment, or if they should approach it differently.  "We can start making better decisions," he says, "at a technical level, but also at a strategic level."

There have been some debates within the security community about the importance, or lack thereof, of attribution -- who committed the attack. "That story can sometimes take years to develop," says Barger, but "We're attributing things all the time. It's just different levels of attribution." 

Although knowing the precise threat actor may take a long time, he says there is value to knowing some general information about the adversary's capabilities and intent -- and sketching out those basics and "chasing down the hype" may not take very long.

"It really depends," says Barger. "Some of them are really disciplined in terms of their [operational security]," and the cooperation of ISPs, national authorities, and other organizations can also affect how long it takes to develop the intelligence. 

Barger says that there is demand for this information. When the security team has to report that the organization has been compromised, "The boss always wants to know [by] who."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
6/3/2015 | 5:53:51 PM
Re: The stupidity of evil
Sadly, evil often is not stupid enough to extinguish itself before doing damage.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/3/2015 | 4:47:51 PM
The stupidity of evil
My GoogleFu is failing me at the moment, but I remember reading years ago a piece by Dave Barry in which he posited that evil was necessarily stupid on some level because if evil people were smart they wouldn't need to resort to evil to achieve their goals.

(Barry went on to posit that the one possible exception to his theory was Richard Nixon.)
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID...
PUBLISHED: 2021-01-19
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML Exte...
PUBLISHED: 2021-01-19
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
PUBLISHED: 2021-01-19
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.