What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it’s important to consider attribution insofar as it is knowable, but it’s remarkable how seldom companies that regularly publish reports on the latest criminal innovations go the extra mile to add context about the crooks apparently involved in deploying those tools.
Perhaps with some new malware samples, the associated actor attribution data is too inconclusive to publish —particularly when corporate lawyers are involved and such findings are juxtaposed to facts about a new code sample that can be demonstrated empirically. Maybe in other cases, the company publishing the research privately has concerns that airing their findings on attribution will somehow cause people to take them or the newfound threat less seriously?
I doubt many who are familiar with my reporting will have trouble telling where I come down on this subject, which explains why I’m fascinated by a bit of digging done into the actor behind a new malware sample that recently received quite a bit of media attention. That threat, known variously as “Rombertik” and “Carbon Grabber,” is financial crimeware that gained media attention because of a curious feature: it was apparently designed to overwrite key sections of the hard drive, rendering the host system unbootable.
News about Rombertik’s destructive ways was first published by Cisco, which posited that the feature was a defense mechanism built into the malware to frustrate security researchers who might be trying to unlock its secrets. Other security firms published competing theories about the purpose of the destructive component of the malware. Some argued it was the malware author’s way of enforcing licensing agreements with his customers: Those who tried to use the malware on Web addresses or domains that were not authorized as part of the original sale would be considered in violation of the software agreement — their malware infrastructure thus exposed to (criminal) a copyright enforcement regime of the most unforgiving kind.
Incredibly, none of these companies bothered to look more closely at the clues rather clumsily left behind by the person apparently responsible for spreading the malware sample that prompted Cisco to blog about Rombertik in the first place. Had they done so, they might have discovered that this ultra-sophisticated new malware strain was unearthed precisely because it was being wielded by a relatively unsophisticated actor who seems to pose more of a threat to himself than to others.
AFRICAN PERSISTENT THREAT
As much as I would love to take credit for this research, that glory belongs to the community which has sprung up around ThreatConnect, a company that specializes in threat attribution with a special focus on crowdsourcing raw actor data across a large community of users.
In this case, ThreatConnect dug deeper into centozos[dot]org[dot]in, the control server used in the Rombertik sample featured in the original Cisco report. The Web site registration records for that domain lists an individual in Lagos, Nigeria who used the email address email@example.com. For those unfamiliar with Dispostable, it is a free, throwaway email service that allows anyone to send and receive email without supplying a password for the account. While this kind of service relieves the user of having to remember their password, it also allows anyone who knows the username to read all of the mail associated with that account.
Reviewing the messages in that firstname.lastname@example.org account reveals that the account holder registered the domain centozos[dot]org[dot]in with registrar Internet.bs, and that he asked to be CC’d on another email address, “email@example.com”. ThreatConnect found that same firstname.lastname@example.org email address used to register a number of other domains associated with distributing malware, including kallyguru[dot]in, nimoru[dot]com, directxex[dot]net, and norqren[dot]com.
The email address email@example.com is tied to a Facebook account for a 30-year-old Kayode Ogundokun from Lagos, Nigeria, who maintains a robust online presence from his personal and “business” Facebook accounts, Blogger, LinkedIn, Twitter and Youtube,” ThreatConnect wrote.
“In fact Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering tracks his tracks have been minimal to non-existent,” ThreatConnect continued. “Ogundokun’s skillset appears to be limited to using commodity RATs and botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes. [We assess] that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently licensed it to a less capable operator. His particular sample of Carbon Grabber was simply caught up in a headline grabbing story.”
REVEALING INTERNET SECRETS TO YOU
For several years until very recently, Kally/Koyode maintained kallysky.com, which thanks to archive.org we can still review in all its glory. In it, Kally’s site — which boldly and confidently displays the banner message “Revealing Internet Secrets to You” — links to dozens of video tutorials he produced and stars in on how to use various malware tools.“He claims to offer services for Citadel Bot, Cybergate RAT, Darkcomet RAT with cpanel web services, ‘Fully Undetectable’ by anti-virus as well as other capabilities such as binders and file extension spoofers, all for educational purposes, of course,” ThreatConnect notes. “He also provides his phone number, BlackBerry Pin and the same kallysky@yahoo[dot]com email address that we observed earlier with the genhostkay@dispostable[dot]com norqren[dot]com domain expiration email.”
In an April 2014 video, Ogundokun provides a Carbon Form Grabber / Carbon Grabber tutorial. At the beginning of the video, he includes his kallysky@yahoo[dot]com contact details.
Sadly, Kally did not respond to requests for an interview about his work sent to his yahoo.com address. But his case and the initial industry writeups on Rombertik are illustrative of a trend within the security industry that’s become all-too-common: Threat reports that lack context — particularly on attribution that is so trivially discoverable, ThreatConnect observed.
“As news of Rombertik spread, we saw sensationalized reporting which used attention grabbing terms such as ‘terrifying,’ ‘deadly’ and ‘suicide bomber malware’ dominate the security news headlines,” the company wrote. “Now if we consider for a moment the man hours and ad hoc reprioritization for many security teams globally who were queried or tasked to determine if their organization was at risk to Rombertik – had the organizations also had adversary intelligence of Ogundokun’s rudimentary technical and operational sophistication, they would have seen a clearer comparison of the functional capabilities of the Rombertik/Carbon Grabber contrasted against the operator’s (Ogundokun) intent, and could have more effectively determined the level of risk.”