Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

'Adversary Intelligence' Finds Criminals Not As Smart As Their Code

The adversary using the stealthy Rombertik malware wasn't nearly as stealthy.

Just because a malware sample is a sophisticated doomsday device doesn't necessarily mean the adversary using that malware is a sophisticated attacker bent on destroying the earth. That "adversary intelligence" -- knowledge about the adversary's capability and intent -- is essential to making decisions about how to properly prioritize and defend against threats, according to research released this week by ThreatConnect

Last month, researchers at Cisco Talos, Symantec, and BlueCoat Labs were all digging into Rombertik (a.k.a. Carbon Grabber), malware that had, among other things, impressive anti-analysis capabilities -- it would destroy the master boot record if it detected it was being analyzed or debugged (or, as Symantec theorized, possibly if the Rombertik authors detected that their criminal customers were trying to exceed the permissions of their Rombertik licensing agreement).

Sophisticated tech. Very desirable for anyone who wants to keep nosy security teams and forensics investigators at bay. However, when ThreatConnect started to poke around to learn more about the adversary using Rombertik, they discovered that he wasn't nearly as discreet as his malware would indicate.

"It wasn't hard in any way to figure out his intent," says Rich Barger, chief intelligence officer of ThreatConnect.

The goal, says Barger, was "get rich quick." And the culprit was 30-year-old Kayode Ogundokun, a.k.a "KallySky," from Lagos, Nigeria -- a city with a growing wealthy class driven by the get-rich spirit. He was very active on Facebook, Twitter, LinkedIn, Blogger, and on YouTube, where he gave tutorials on using some of these attack tools.

According to ThreatConnect, "In fact, Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering his tracks have been minimal to non-existent."

In his YouTube tutorials not only does KallySky recklessly share his email address and phone number, but he even reveals passwords in cleartext and shares his bank account information. According to ThreatConnect "his tutorials clearly underscore his lackluster technical prowess." Also:

Ogundokun’s skillset appears to be limited to using commodity RATs and Botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes.

The TCIRT assesses that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently sold or licensed it to the less capable operator. ... It appears as if this particular sample of Carbon Grabber was simply caught up in a headline grabbing story."

"Rombertik was 'the end of the Internet as we know it,'" says Barger, "and with new knowledge, we could shift that and say, this isn't the threat we thought."

Barger says that this kind of adversary intelligence can help security teams decide whether they really should drop everything and rush to address a new threat that moment, or if they should approach it differently.  "We can start making better decisions," he says, "at a technical level, but also at a strategic level."

There have been some debates within the security community about the importance, or lack thereof, of attribution -- who committed the attack. "That story can sometimes take years to develop," says Barger, but "We're attributing things all the time. It's just different levels of attribution." 

Although knowing the precise threat actor may take a long time, he says there is value to knowing some general information about the adversary's capabilities and intent -- and sketching out those basics and "chasing down the hype" may not take very long.

"It really depends," says Barger. "Some of them are really disciplined in terms of their [operational security]," and the cooperation of ISPs, national authorities, and other organizations can also affect how long it takes to develop the intelligence. 

Barger says that there is demand for this information. When the security team has to report that the organization has been compromised, "The boss always wants to know [by] who."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
6/3/2015 | 5:53:51 PM
Re: The stupidity of evil
Sadly, evil often is not stupid enough to extinguish itself before doing damage.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/3/2015 | 4:47:51 PM
The stupidity of evil
My GoogleFu is failing me at the moment, but I remember reading years ago a piece by Dave Barry in which he posited that evil was necessarily stupid on some level because if evil people were smart they wouldn't need to resort to evil to achieve their goals.

(Barry went on to posit that the one possible exception to his theory was Richard Nixon.)
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-03
A Least Privilege Violation vulnerability in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUS...
PUBLISHED: 2020-04-03
A Uncontrolled Resource Consumption vulnerability in rmt of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Public Cloud 15-SP1, SUSE Linux Enterprise Module for Server Applications 15, SUSE Linux E...
PUBLISHED: 2020-04-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-04-03
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_l...
PUBLISHED: 2020-04-02
Slack Nebula through 1.1.0 contains a relative path vulnerability that allows a low-privileged attacker to execute code in the context of the root user via tun_darwin.go or tun_windows.go. A user can also use Nebula to execute arbitrary code in the user's own context, e.g., for user-level persistenc...