Lately Rombertik have been making the headlines of security related news, I wrote on SecurityAffairs about the malware a few weeks ago, last update from security researchers at ThreatConnect is that a new analysis traced back the malware to Nigeria.
Rombertik is a powerful malware and known for the destructive capabilities, and as I wrote before, Rombertik implements high sophisticated evasion detection technique and analysis, it also includes the ability to delete victim’s hard drive data and making the computer unusable.
Principal security firms, including Symantec and Mcafee, have been doing their own investigations about the Rombertik agent, but none of them has published anything about source code since now.
Now, thanks to researchers at ThreatConnect that analyzed one sample, we are able to trace it back to a Nigerian man, who they believe to be the source of the destructive piece of malware.
The researchers at ThreatConnect started by analyzing “centozos[.]org[.]in“, the C&C domain used by Rombertik to send the stolen data from the infected machines.
It was discovered that the domain was registered with the email “genhostkay@dispostable[.]com” , which was created in a disposable email service that allow people to send an receive mails without need a password for it, which means that everybody can access to the account if the username is known.
Further investigations on “genhostkay@dispostable[.]com” led them to discover the e-mail ” “kallysky@yahoo[.]com” since this email was in CC in one of the received emails. Being Yahoo a legit and known email service, the researchers narrow their investigations to a person that they believe to be called Kayode Ogundokun, a 30-year-old man from Lagos, Nigeria.
“It appears that Ogundokun is primarily focused in exploiting individuals for financial gain versus any other observed motive,” ,“Many of Ogundokun internet posts appear to be run of the mill scams, where previous victims have been able to identify him as seen posted to one of his Facebook pages.” States ThreatConnect in a blog post.
Surprisely, Ogundokun hasn’t hidden himself well, and researchers say that probably some lack of skill set led Rombertik to trigger the destructive feature.
The [ThreatConnect Intelligence Research Team] assesses that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently sold or licensed it to the less capable operator,” “This particular sample was keyed to the centozos.org[.]in infrastructure that Ogundokun maintained, where it was later operationalized and was identified by Cisco. It appears as if this particular sample of Carbon Grabber was simply caught up in a headline-grabbing story.”
Besides all that is said, the true is that Ogundokun had success operations and was able to infect 900 hosts around the world in about 3 weeks.
“As news of Rombertik spread, we saw sensationalized reporting which used attention grabbing terms such as ‘terrifying’ ‘deadly’ ‘suicide bomber malware’ dominate the security news headlines. Now if we consider for a moment the lost man hours due to ad hoc reprioritization for many security teams globally who were queried or tasked by their leadership to determine if their organization was at risk to Rombertik,” added ThreatConnect.
“Had the organizations also had Adversary Intelligence of Ogundokun’s rudimentary technical and operational sophistication, they would have seen a clearer comparison of the functional capabilities of the Rombertik/Carbon Grabber contrasted against Ogundokun intent, and could have effectively determined an appropriate level of risk mitigation,”
In my opinion, Ogundokun is the prove that everyone that dedicates himself can accomplish good results, everyone capable of using a computer can turn himself in a potential cyber criminal.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Rombertik, malware)