Adversary Intelligence Finds Criminals Not As Smart As Their Code

The adversary using the stealthy Rombertik malware wasnt nearly as stealthy.

Just because a malware sample is a sophisticated doomsday device doesnt necessarily mean the adversary using that malware is a sophisticated attacker bent on destroying the earth. That adversary intelligence -- knowledge about the adversarys capability and intent -- is essential to making decisions about how to properly prioritize and defend against threats, according to
research released this week by ThreatConnect
.
Last month, researchers at Cisco Talos, Symantec, and BlueCoat Labs were all digging into Rombertik (a.k.a. Carbon Grabber), malware that had, among other things, impressive anti-analysis capabilities -- it would destroy the master boot record if it detected it was being analyzed or debugged (or, as Symantec theorized, possibly if the Rombertik authors detected that their criminal customers were trying to exceed the permissions of their Rombertik licensing agreement).
Sophisticated tech. Very desirable for anyone who wants to keep nosy security teams and forensics investigators at bay. However, when ThreatConnect started to poke around to learn more about the adversary using Rombertik, they discovered that he wasnt nearly as discreet as his malware would indicate.
It wasnt hard in any way to figure out his intent, says Rich Barger, chief intelligence officer of ThreatConnect.
The goal, says Barger, was get rich quick. And the culprit was 30-year-old Kayode Ogundokun, a.k.a KallySky, from
Lagos, Nigeria
-- a city with a growing wealthy class driven by the get-rich spirit. He was very active on Facebook, Twitter, LinkedIn, Blogger, and on YouTube, where he gave tutorials on using some of these attack tools.
According to ThreatConnect, In fact, Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering his tracks have been minimal to non-existent.
In his YouTube tutorials not only does KallySky recklessly share his email address and phone number, but he even reveals passwords in cleartext and shares his bank account information. According to ThreatConnect his tutorials clearly underscore his lackluster technical prowess. Also:
Ogundokun’s skillset appears to be limited to using commodity RATs and Botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes.
The TCIRT assesses that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently sold or licensed it to the less capable operator. ... It appears as if this particular sample of Carbon Grabber was simply caught up in a headline grabbing story.
Rombertik was the end of the Internet as we know it, says Barger, and with new knowledge, we could shift that and say, this isnt the threat we thought.
Barger says that this kind of adversary intelligence can help security teams decide whether they really should drop everything and rush to address a new threat that moment, or if they should approach it differently. We can start making better decisions, he says, at a technical level, but also at a strategic level.
There have been some debates within the security community about the importance, or lack thereof, of attribution -- who committed the attack. That story can sometimes take years to develop, says Barger, but Were attributing things all the time. Its just different levels of attribution.
Although knowing the precise threat actor may take a long time, he says there is value to knowing some general information about the adversarys capabilities and intent -- and sketching out those basics and chasing down the hype may not take very long.
It really depends, says Barger. Some of them are really disciplined in terms of their [operational security], and the cooperation of ISPs, national authorities, and other organizations can also affect how long it takes to develop the intelligence.
Barger says that there is demand for this information. When the security team has to report that the organization has been compromised, The boss always wants to know [by] who.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Adversary Intelligence Finds Criminals Not As Smart As Their Code