A hackers-for-hire APT group is using a strain of never-before-seen malware and targeting businesses in the CostaRicto campaign.
Blackberry Research and Intelligence Team uncovered a cyber espionage campaign targeting financial institutions and entertainment firms across the globe. Researchers have dubbed this campaign CostaRicto.
According to Blackberry researchers, this campaign seems to be the work of an APT hackers-for-hire mercenary group possessing bespoke malware tools, SSH tunneling, and VPN proxy capabilities.
The TTPs (tactics, techniques, and procedures) of APT-style attacks are often similar to sophisticated state-sponsored targeted campaigns. However, the geography and profiles of their victims are far more diverse.
Researchers identified that CostaRicto targets countries across the Americas, Europe, Asia, Africa, and Australia. However, the highest concentration of victims is in South Asia, particularly China, India, Singapore, and Bangladesh. Presumably, the threat actor is based in this region but working for diverse clients worldwide.
Their attack method is relatively straightforward. They use stolen credentials to gain an initial foothold in their target firm’s networking environment and set up an SSH tunnel for downloading a backdoor.
Alongside this, it downloads a payload loader titled CostaBricks, which is responsible for implementing a C++ virtual machine mechanism for decoding and injecting the bytecode payload in the memory.
Their C&C servers are managed through Tor or via a layer of proxies. They also establish a complicated network of SSH tunnels in the victim’s environment, which reflect that the attackers have implemented above-average operation security.
The backdoor used in this campaign is a previously undocumented malware. It is a custom-designed tool bearing an indicative project name, detailed versioning system, and well-structured coding.
This campaign appears to be in its debug testing stage as the earliest timestamps are from Oct 2019. In contrast, the payload stagers’ timestamp goes back to 2017, suggesting that the operation has been going for quite some time but delivered a different payload previously.
Quite possibly, the stagers are being reused by modifying the C2 URLs through binary editing. The backdoor project is known as Sombra. It refers to an Overwatch game persona, an antagonist organization’s agent specializing in intelligence evaluation and espionage.
It is yet unclear how the group obtains credentials to gain an initial foothold into their targeted environment. Blackberry researchers claim that the attackers may have acquired them through phishing or from the Dark Web.