New Rombertik Sample has originated in Nigeria

ThreatConnect has conducted further investigations on the Rombertik malware and traced a malicious sample they analyzed to a Nigeria-based man.

Lately Rombertik have been making the headlines of security related news, I wrote on SecurityAffairs about the malware a few weeks ago, last update from security researchers at ThreatConnect is that a new analysis traced back the malware to Nigeria.

Rombertik is a powerful malware and known for the destructive capabilities, and as I wrote before, Rombertik implements high sophisticated evasion detection technique and analysis, it also includes the ability to delete victim’s hard drive data and making the computer unusable.

Principal security firms, including Symantec and Mcafee, have been doing their own investigations about the Rombertik agent, but none of them has published anything about source code since now.

Now, thanks to researchers at ThreatConnect that analyzed one sample, we are able to trace it back to a Nigerian man, who they believe to be the source of the destructive piece of malware.

The researchers at ThreatConnect started by analyzing “centozos[.]org[.]in“, the C&C domain used by Rombertik to send the stolen data from the infected machines.

It was discovered that the domain was registered with the email “genhostkay@dispostable[.]com” , which was created in a disposable email service that allow people to send an receive mails without need a password for it, which means that everybody can access to the account if the username is known.

Further investigations on “genhostkay@dispostable[.]com” led them to discover the e-mail ” “kallysky@yahoo[.]com” since this email was in CC in one of the received emails. Being Yahoo a legit and known email service, the researchers narrow their investigations to a person that they believe to be called Kayode Ogundokun, a 30-year-old man from Lagos, Nigeria.

Now the funny part is that Ogundokun as several social media accounts and offers services/tutorials related to malware, like DarkComet Rat, Carbon Grabber, Zeus, etc etc.

“It appears that Ogundokun is primarily focused in exploiting individuals for financial gain versus any other observed motive,” ,“Many of Ogundokun internet posts appear to be run of the mill scams, where previous victims have been able to identify him as seen posted to one of his Facebook pages.” States ThreatConnect in a blog post.

Surprisely, Ogundokun hasn’t hidden himself well, and researchers say that probably some lack of skill set led Rombertik to trigger the destructive feature.

The [ThreatConnect Intelligence Research Team] assesses that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently sold or licensed it to the less capable operator,” “This particular sample was keyed to the centozos.org[.]in infrastructure that Ogundokun maintained, where it was later operationalized and was identified by Cisco. It appears as if this particular sample of Carbon Grabber was simply caught up in a headline-grabbing story.”

Besides all that is said, the true is that Ogundokun had success operations and was able to infect 900 hosts around the world in about 3 weeks.

“As news of Rombertik spread, we saw sensationalized reporting which used attention grabbing terms such as ‘terrifying’ ‘deadly’ ‘suicide bomber malware’ dominate the security news headlines. Now if we consider for a moment the lost man hours due to ad hoc reprioritization for many security teams globally who were queried or tasked by their leadership to determine if their organization was at risk to Rombertik,” added ThreatConnect.

“Had the organizations also had Adversary Intelligence of Ogundokun’s rudimentary technical and operational sophistication, they would have seen a clearer comparison of the functional capabilities of the Rombertik/Carbon Grabber contrasted against Ogundokun intent, and could have effectively determined an appropriate level of risk mitigation,”

In my opinion, Ogundokun is the prove that everyone that dedicates himself can accomplish good results, everyone capable of using a computer can turn himself in a potential cyber criminal.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – Rombertik, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.