Adversary Intelligence: Getting Behind the Keyboard

Arguably one of the most controversial subjects in Threat Intelligence currently is the topic of Attribution, or developing Adversary Intelligence.

Industry pundits will debate attribution with a religious zeal, bashing each other with talking points for and against the position.  Unfortunately, many newcomers to the debate, as well as experienced practitioners and consumers, are often caught in the crossfire, and come away with a diminished interest in building out their persona-based intelligence capabilities. Thus, let us ask the question, is Adversary Intelligence really the “informational must have” or rather the  “waste of resources” that some make it out to be?

Why You Need Adversary Intelligence

Here at ThreatConnect, we understand that context is king.  Our philosophy is the more information you are able to ascertain about your threats, the better your data driven decision making process becomes and ultimately the better you become in minimizing organizational risks.  This is why we have built our platform with the Diamond Methodology for Intrusion Analysis as the underlying data management methodology as a means to represent the technical threat’s “how” and “what” overlaid against the real world personas “whom” and “why”. Think of it as a roadmap to navigate the production of threat intelligence. Most importantly we have allowed ThreatConnect to represent this story across the continuum of “when” and “where”.

For those of us in the security industry, we have an insatiable thirst for data. However, with the acquisition of greater data troves, we simultaneously create a greater problem, because we must now make sense of this raw data.  Bearing in mind that this data needs to eventually convey a story, the “so what” is buried within the data that eventually needs to be communicated in a way that will influence some sort of decision(s), as well as providing supporting feedback metrics to various stakeholders, informing them whether their decision was effective or not. We and others simply cannot be effective in telling that “so what” story to a decision maker if we are to blatantly ignore the Adversary’s Capabilities and Intent.

Capability & Intent: Know Both for Better Decision Making

One way to think of an Adversary’s capabilities and intent is through the analogy of a starry-eyed High School quarterback who dreams that one day he’ll make it big in the NFL. Throughout his career, he trains a little harder, goes the extra mile at practice, and his heart and mind is fixated toward achieving that one goal.  However, intent is not enough, as this quarterback also needs the capabilities and the tools such as running or throwing that will allow him to perform in a way that allows him to accomplish his goal.

Cyber threats are no different.  Moreover, not all adversaries are created equally, nor is intent consistent across the board.  For example, if it is known that the adversary intent is cyber espionage, we may not expect to see any defacement or ransomware activity.  Knowing what you are up against will allow you to build out your Adversary Intelligence capabilities, which, in turn, will enable more comprehensive mitigation strategies at the tactical level.

Example of Transitioning Intent:

• A sophisticated actor may intend to lay silently within an enterprise for years collecting intelligence on their target, waiting for an opportune moment to strike.  In doing so, the actor strategically transitions their intent from espionage to attack, deleting and destroying valuable data.
• Conversely, an ideological attacker whose intent is to propagate an idea, may feel that their message is not being heard and look for a more spectacular event such as espionage and strategic document leaks in support of a broader information operations campaign.

Just as adversary intent can vary, so can an adversary capabilities. These capabilities may technically map to the attacker intent, where the specific capability is used in an effort to allow the adversary achieve their particular goals. Thorough analysis of adversary tools and capabilities one may get a glimpse of what they are attempting to achieve, and possibly how sophisticated a threat may or may not be. However it is important that Adversary Intelligence analysis is not solely influenced by single source of information such as capability, or infrastructure (GeoIP) but rather includes a comprehensive “all source” approach which fuses multiple sources, both technical and non-technical.

Example of Capabilities:

• The use of custom malware that surreptitiously replicates itself to thumbdrives to jump air gapped networks, automatically looks for and collects documents with the keyword “SECRET” may signal that a highly resourced adversary is looking to exfiltrate sensitive information for the purposes of espionage.
• Malware with moderate antivirus detection that only looks for credit card track data and point of sale services, may indicate a moderately resourced attacker that is likely criminally motivated.
• We could expect an ideological attacker or someone who is looking to widely propagate their doctrines to likely leverage noisy and public mass website defacements.

Overtime organizations that are sharing information associated with common clusters of activity can begin to build out a broader understanding of an adversary’s Capabilities and Intent as they assemble pieces of the broader puzzle.

Tactical Feeding the Strategic: UglyGorilla & APT1

One of the most noteworthy examples of producing Adversary Intelligence and attribution within our industry was the 2013 Mandiant APT1 report.  This landmark achievement represented a major turning point in the industry whereby Adversary Intelligence was used to add strategic color to years of ongoing technical exploitation campaigns by presenting a glimpse of the personas and organizations involved in the systematic targeting of governments and corporations worldwide. It is important to bear in mind that although in this case, Adversary Intelligence was able to yield results with international-level geopolitical repercussions, the path to attribution began with seemingly benign technical leads that meant very little on their own, but made all of the difference when considered in the aggregate.

Lets go back to September 2005, at the time Symantec released details of an emergent threat known as Trojan.Hugesot, a custom implant that to this day carries a “low” risk profile. The implant was configured to call out to Command and Control (C2) node news.hugesoft[.]org. In October 2005, Whois privacy protections were removed from this domain and researchers were able to get a glimpse of the actual registration details, a common starting point for many analysts.

Although skeptics of Adversary Intelligence will highlight that these registration details can be spoofed or falsified, there are many times in which they are not; these data points should always be weighed in consideration against a broader dataset over time. One simple explanation for these oversights is that adversaries are human and are simply prone to error. We must also bear in mind that the internet has a vast memory, one that is not likely to forgive or forget even the slightest of these missteps.

In the case of APT1, the registration details for news.hugesoft[.]org indicated that the domain was originally registered out of Shanghai, China and that the infrastructure was registered by an individual using the email address uglygorilla@163[.]com.

In 2005, a simple search engine query for the moniker “uglygorilla” and “军人” (Soldier or Military Officer) identified a few Chinese language blogs and profiles which supported the working hypothesis that the activity was indeed originating from China, and that the responsible person and/or organization may have links to the PLA.

In the “actions on the objective” phase of cyber kill chain, many incident response teams had observed the APT1 attackers using the password “2j3c1k” when creating accounts or compressing and encrypting pilfered data.  The Mandiant report states:

However, there is one password “2j3c1k” extensively used by DOTA that is not based on a keyboard pattern, though he may not be the only APT1 actor that uses it. A numbered “j”, followed by a numbered “c”, and then a numbered “k” is likely shorthand (“j”/”c”/”k”) for the ju/chu/ke (局／处／科) organizational structure (translated to Bureau/Division (or Office)/Section) widely used within PLA General Staff Department organizations…Given this pattern, it is likely that the password “2j3c1k” stands for 2nd Bureau [Unit 61398], 3rd Division, 1st Section, demonstrating that those who use these patterns are working together and affiliate themselves to the 2nd Bureau.

At the time this adversary was well-resourced, as evidence by their relatively superior technical capabilities, the scale and scope of their multi-year, global compromises. Their intent was clear.  From the malware functionality to their actions on the objective, the APT1 actor was focused on espionage and surreptitiously taking information from global enterprises, in bulk over the long term. However, in contrast, an individual actor (UglyGorilla) maintained poor Operational Security (OPSEC), where this could have been a byproduct of things such as poor individual discipline, individual hubris, or limited organizational oversight.

The primary takeaway to this story is that way back in 2005 we had initial glimpses into what we know now in 2015 to be a very serious threat.  That realization took nearly a decade because in the recent past, associating hostile cyber activity to an individual seemed to be an inconceivably difficult task, and any effort to accomplish attribution was primarily reserved for law enforcement. However, once Adversary Intelligence was able to provide additional context to the technical indicators, momentous discoveries were made. Thus, organizations should be careful not to dismiss Adversary Intelligence, even when it is in a nascent state.

Rombertik / Carbon Grabber

In early May 2015, our friends at Cisco Talos released detailed analysis of a particular sample of Rombertik malware that featured unique anti-analysis functionality.  According to the report, “this functionality was designed to evade both static and dynamic analysis tools, make debugging difficult. If the sample detected it was being analyzed or debugged it would ultimately destroy the master boot record.”

Soon after, BlueCoat Labs was quick to decouple the destructive Rombertik payload functionality from the anti-analysis and anti-debugging wrapper component. Rombertik – i.e. the malware with the destructive part – is the payload executable packed inside the wrapper mentioned above. So, the huge MiniDelphi executable with the anti-sandbox and anti-reversing code is indeed a wrapper/injector, but it is seemingly unrelated to the destructive code…This wrapper can carry different payloads, and Rombertik is obviously one. It appears that this malware is better known and sold in the underground under the name Carbon Grabber.

A few weeks later, Symantec profiled Rombertik with an alternate theory as to intent behind the destructive behavior, “Much of the discourse has been about the destructive routines and their implied effects on the computers compromised by it, but the destructive functionality is not something that regular customers of Carbon Grabber have access to. Instead, this code is set up to only spring its trap if the Trojan detects that a user is trying to tamper with its code to make it do something it wasn’t licensed to do.”

Although anti-analysis and anti-debug techniques are not necessarily new within malware, functionality and execution of destructive capabilities as a last resort to avoid detection is an interesting combination, signaling that an operator seeks to maintain additional survivability at all costs. Alternatively, exclusive malware licensed to a particular command and control (C2) node with a destructive tamper proofing mechanism allows the author to ensure a certain degree of profitability while doing business within the black market where there is seemingly, no honor among thieves.

Either way, this functionality sets a limit as to the resources that a given individual or organization may be able to apply in investigating any security events involving these particular samples. We will highlight in the examples below, the destructive anti-analysis and anti-debug capabilities were incongruent with a particular adversaries technical capabilities and operational security (OPSEC) profile, which supports the working theory that the destructive functionality was indeed likely a byproduct of Carbon Grabber license tamperproofing, rather than a true anti-analysis technique.

In God we trust; all others must bring data

Our friends at Cisco, BlueCoat and Symantec all demonstrated a phenomenal thing that occurs quite often in our industry, within these great examples of technical analysis, experts will find slightly different conclusions from the same data. It is through these multiple (crowdsourced) perspectives that we can seek objectivity. From a Diamond Model of Intrusion analysis perspective, all of these analysis products seemingly focus on the Capability node of this particular threat, so these analytic approaches have a tendency to limit our overall understanding, leaving the broader audience with more questions than answers such as “what does this mean to me?”, “who is using this Capability?”, and “to whom is it affecting?”

Background

As the industry took particular interest in the sample (SHA256:0d11a13f54d6003a51b77df355c6aa9b1d9867a5af7661745882b61d9b75bccf) ThreatConnect Research began its research from the C2 infrastructure (centozos[.]org[.]in) where we observed a benign infrastructure enrichment that was seemingly overlooked. We shared these details with the ThreatConnect Common Community on May 5, 2015.

You will note in our enrichment of the analysis we observed that the C2 centozos[.]org[.]in Whois information was registered by “genhostkay@dispostable.com,” allegedly from Lagos, Nigeria. As we began to investigate and enrich further, we saw that there was even more information available than what was previously reported by the folks at SentinelOne on May 6, 2015.

Genhostkay [at] dispostable.com

For those who are unaware, Dispostable serves as a “disposable” inbox service that is publicly accessible to the open internet. Quite simply, anyone is able to navigate to this inbox service and review the full contents of the public “genhostkay@dispostable[.]com” emails as long as they know that particular account exists. Doing so revealed additional tradecraft (or lack there of) of a particular adversary that had leveraged “Rombertik” in the phishing incident that Cisco had analyzed in early May. The following summarizes some of the more notable messages that the “genhostkay@dispostable[.]com” received that give us additional Adversary Intelligence, other messages provided us details of tactical intelligence allowing us to expand our knowledge of this particular actor’s infrastructure.

In a May 4th message we can see that the adversary received a message from an infrastructure service provider, this notification was sent to two different email addresses; the public inbox genhostkay@dispostable[.]com as well as the more unique private kallysky@yahoo[.]com account.

In this case, the infrastructure provider sent the adversary a notification, informing them that norqren[.]com, a malicious domain under their control was set to expire.  The domain norqren[.]com has also overlapped with some of the same infrastructure, such as Polish IP Address 188.68.252[.]147 that previously hosted centozos.org[.]in as seen in the initial Rombertik analysis. Although we cannot say for certain that all of this infrastructure identified within VirusTotal is related, we can be certain that both centozos.org[.]in and norqren[.]com are directly related to the common genhostkay@dispostable[.]com account.

Analyst Comment: Note the domain Whois for norqren[.]com indicates it was was registered by massmind@dispostable[.]com since May 2014, however the domain management configured to notify genhostkay@dispostable[.]com and kallysky@yahoo[.]com. It is unknown if this infrastructure was rented out, established for, or used by any other operator.

Within the same genhostkay@dispostable[.]com account on February 17, 2015 we identified yet another reference to “kallysky” as a username within a Direct XEX (directxex[.]net) registration email. Direct XEX appears to be a download staging site for malicious content.

In January 2015, the genhostkay@dispostable[.]com account used the moniker “kallysky1” as a username when registering a NanoCore RAT account via nimoru[.]com. This unique username seen in separate threads over a five month span, from a different service providers gives us a compelling reason to further investigate the “kallysky@yahoo[.]com”, “kallysky” and “kallysky1” profiles.

Meet KallySky

KallySky aka “KallyKay” is 30 year old Kayode Ogundokun from Lagos, Nigeria. Ogundokun maintains a robust online presence from his personal and “business” Facebook accounts. In fact, Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering his tracks have been minimal to non-existent. Ogundokun’s skillset appears to be limited to using commodity RATs and Botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes.

ThreatConnect Research assesses that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently sold or licensed it to the less capable operator. This particular sample was keyed to the centozos.org[.]in infrastructure that Ogundokun maintained, where it was later operationalized and was identified by Cisco. It appears as if this particular sample of Carbon Grabber was simply caught up in a headline grabbing story.

Historic Whois from DomainTools indicates Kayode Ogundokun maintained kallysky[.]com  from July 2011 to July 2014 using the email address kallysky@yahoo[.]com and various physical addresses within Lagos Nigeria.

His YouTube channel is full of brazen examples of the adversary inadvertently revealing both technical intelligence as well as Adversary Intelligence detailing both his capabilities and intent. All of this is done with little interest or concern in covering his tracks. His tutorials clearly underscore his lackluster technical prowess, his poor understanding of file permissions even revealing his cleartext passwords are among some of the more careless examples of his escapades within the underground.

KallySky’s Greatest Hits

The following section, while of immense entertainment value, is a collection of notable technical and Adversary Intelligence. For example, within a November 2013 Video Ogundokun introduces himself as “Kayode” aka “KallySky” and explains how he does “a bunch of internet stuffs” (sic).

He also provides his phone number, BlackBerry Pin and the same kallysky@yahoo[.]com email address that we observed earlier with the genhostkay@dispostable[.]com / norqren[.]com domain expiration email.

He claims to offer services for Citadel Bot, Cybergate RAT, DarkComet RAT with cpanel web services, “Fully Undetectable” by anti-virus as well as other capabilities such as binders and file extension spoofers, all for educational purposes, of course.

As Ogundokun provides a tutorial explaining how to use the Tweakware VPN to proxy web traffic, he is actually logged into his attributable Facebook page, viewing the “kallysky” Facebook group. Interesting metadata within his browser are bookmarked websites naij[.]com a Nigerian classifieds and news website, and Scamdex[.]com an online scam archive and resource.

He also visits his kallysky[.]com website. Note metadata within his banner graphic matches the same photo observed within his LinkedIn profile.

Ogundokun concludes his video with a services overview, contact and payment details with his attributable name and accounts to Guaranty Trust Bank (GTBank) account #07030107842 and United Bank for Africa (UBA) account #2013227317 bank info where for ₦1000 ($5 US) he can provide you any of the “internet tools” or services if you “hook him up”. Ogundokun also maintains the Liberty Reserve account #U4483252.

According to their “About Us” page, Guaranty Trust Bank (GTBank) plc is a foremost Nigerian financial institution with vast business outlays spanning Anglophone/Francophone, West Africa, East Africa and the United Kingdom. Wikipedia lists UBA as a large financial services provider in Nigeria with subsidiaries in 20 sub-Saharan countries, with representative offices in France, the United Kingdom and the United States.

Zeus Bot Tutorial

Within a February 2014 video Ogundokun provides a tutorial for Zeus Botnet using his kallysky@yahoo[.]com and kallysky1 Skype username contact details.

Ogundokun caveats within his tutorial that it is for education purposes only and that the viewer assumes all responsibility for applying the knowledge he is sharing. However, while he does this, he is actually leveraging malicious infrastructure and deploying malicious content.

For example, while accessing swiftervpn[.]com the last login highlighted within the cPanel as 174.127.99[.]164, which has been tied to several DarkComet RAT implants and dynamic DNS C2’s.

As Ogundokun configures his Zeus deployment, he inadvertently reveals the passwords “kasplit”, “123456” and “chisom” which were previously retained by his browser. These passwords are helpful elements of Adversary Intelligence. Our friends at SentinelOne also identified a similar password “kasplit101.” The password “chisom” is noteworthy in that it could be referencing an Igbo/Ibo Nigerian name or word.

Carbon Grabber Tutorial

In an April 2014 video, Ogundokun conveniently provides a Carbon Form Grabber / Carbon Grabber tutorial. In usual form he includes his kallysky@yahoo[.]com and kallysky1 contact details in the onset of the video. Note Carbon Grabber is the same capability that was previously identified associated with this particular Rombertik sample by both BlueCoat and Symantec.

During the onset of his Carbon Grabber tutorial Ogundokun includes his Yahoo and Skype contact details with an obfuscated screenshot of captured credentials for WellsFargo, HiNet Webmail, and Yahoo.

While demonstrating the Carbon Grabber backup, Ogundokun accessed swiftervpn[.]com which also maintained directories for online onlinebiz4nig[.]com and naijaswift[.]com. All domains were previously registered by a Oyekunle Ogunsina oogunsina@yahoo[.]com in Osun Nigeria.

Analyst Comment: It is unknown if the persona Oyekunle Ogunsina is an alias or is in someway related to Ogundokun.

In a video recorded in February 2015 and posted to Youtube in March 2015, Ogundokun provides his contact details within a backdrop of his tutorial for an unspecified document exploit.

He also provides specific details that the tutorial will cover and the Microsoft Office versions that the exploit is compatible with.

As Ogundokun uploads an njRAT and DarkComet implants to the file sharing site RGhost, the metadata of bookmarked websites reveals Coolsam Hosting as well as Rowdyhosts. Both of which are service providers that Ogundokun has previously used.

Although the DarkComet Implant Ogundokun has been removed from RGHost, visiting the URL http://rghost[.]net/7jDVGhjwR# today allows us to still view the very hashes that Ogundokun uploaded on February 15, 2015 at 20:01 hours.

The file (MD5: 786657e680aaa602dbc15c9a79bceecd and SHA1: cdaee72d78275211cd70aa9239a10645e5f6a6d7) has been observed on VirusTotal as DarkComet where it beacons to johnbull30.ddns[.]net, at the time of submission the C2 resolved to 174.127.99[.]164 which has also overlapped with several other dynamic domain services.

During the DarkComet RAT tutorial, Ogundokun reveals his local hostname SKY-PC and user account SKY in addition to his IP address 105.112.8[.]82 Airtel-Nigeria, Lagos Nigeria.

Adversary Intent

As mentioned earlier, it appears that Ogundokun is primarily focused in exploiting individuals for financial gain versus any other observed motive.

Many of Ogundokun internet posts appear to be run of the mill scams, where previous victims have been able to identify him as seen posted to one of his Facebook pages.

There also appears to be an element of knowledge transfer where Ogundokun has offered training seminars in Lagos that are more practical in nature, requesting attendees bring their laptops.

In a previous Facebook exchange, Ogundokun indicates that the seminar would take place at noon Saturday May 26th 2012, at 19 Hospital Road, Olodi Apapa, Lagos, Nigera (beside Westminster).

Archives of kallysky[.]com/seminar indicate that Ogundokun offered a “powerful free seminar” for ₦1500 (~$7 USD) where he would provide a “fastest legitimate way of making money on the internet.”

Victims

One thing to consider is that although an adversary may be somewhat limited in their capabilities, in that they have a rudimentary skillset or poor OPSEC, they can still be quite effective and do real damage on a global scale.

For example, we looked at just 9 of Ogundokun’s unique Zeus Bot controllers which maintained a cumulative of 20 unique botnets. Within this subset of Ogundokun’s infrastructure the earliest interactive victim reported into his botnet on May 11th 2015. Between May 11th and May 29th (19 days) Ogundokun was able to amass approximately 895 infected hosts within 58 unique countries. These hosts not only collect information about the victims, but they also serve as an infrastructure platform where Ogundokun can carry out other criminal tasks.

Of the victims identified the top 10 countries where victims were beaconing from were: India, China, United States, Egypt, Taiwan, Russia, Germany, Iran, United Arab Emirates and Korea.

Operational Caveat: All victim information has been turned over to the appropriate authorities for victim notification.

Conclusion

As news of Rombertik spread, we saw sensationalized reporting which used attention grabbing terms such as “terrifying” “deadly” “suicide bomber malware” dominate the security news headlines. Now if we consider for a moment the lost man hours due to ad hoc reprioritization for many security teams globally who were queried or tasked by their leadership to determine if their organization was at risk to Rombertik. Had the organizations also had Adversary Intelligence of Ogundokun’s rudimentary technical and operational sophistication, they would have seen a clearer comparison of the functional capabilities of the Rombertik/Carbon Grabber contrasted against Ogundokun intent, and could have effectively determined an appropriate level of risk mitigation.

To that end, practitioners feel that developing Adversary Intelligence or Attribution is too hard or too controversial, and they are right, sometimes. Identifying who is likely responsible for a certain activity can be a long fought process: it does not come freely, it can span across many years, and often requires multiple “trips around the Diamond Model” where precious man hours are spent collecting and synthesizing information obtained from numerous costly security incidents before enough Intelligence is aggregated and a clearer Adversary picture begins to emerge.

However this should not disparage newcomers, today’s enterprises should begin to evaluate how Adversary Intelligence applies to them and how it can support their security operations.

Without Adversary Intelligence, both producers and consumers of Threat Intelligence may risk overestimating or underestimating a given threat by myopically addressing a single source or facet of a given threat, simply because it is the path of least resistance. However, it is very important for organizations look to carefully compliment their technical analysis with Adversary Intelligence, thereby ensuring that they do not fall victim to biases and oversights.

Crowdsourcing your findings can ensure that your lead information meets both technical and analytic rigor, and as such, is processed into mature, actionable intelligence.

The bottom line is that people are people, and they will eventually make mistakes.  With this in mind, it is advisable to adopt a proactive mindset to instrument the enterprise in a manner that allows one to procedurally look for and exploit these types of human errors over time. It is this mindset that postures an organization to proactively look for and leverage Adversary Intelligence. Leverage their weakness, because you know they are leveraging ours.

ThreatConnect Research has shared the Adversary  Kayode Ogundokun aka “KallySky” associating it with  Incidents 20150505A: Rombertik Crimeware and 20150513B: KallySky DarkComet RAT with the ThreatConnect Common Community.

---