Costaricto APT: Cyber mercenaries use previously undocumented malware

CostaRicto APT is targeting South Asian financial institutions and global entertainment companies with undocumented malware.

Blackberry researchers have documented the activity of a hackers-for-hire group, dubbed CostaRicto, that has been spotted using a previously undocumented piece of malware to target South Asian financial institutions and global entertainment companies.

“During the past six months, the BlackBerry Research and Intelligence team have been monitoring a cyber-espionage campaign that is targeting disparate victims around the globe.” reads the analysis published by BlackBerry. “The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities.”

CostaRicto targeted entities worldwide, most of them are in India, Bangladesh, Singapore, and China, suggesting that the threat actor could be based in South Asia.

Upon gaining access to the target’s infrastructure using stolen credentials, the cyber mercenaries set up an SSH tunnel to download a backdoor and a payload loader called CostaBricks. CostaBricks is a custom VM-based payload loader that executes an embedded bytecode to decode and inject the payload directly into the memory of the target system.

CostaRicto was observed using the CostaBricks loader to deliver a C++ compiled executable called SombRAT (the name comes from the Overwatch game character Sombra).

The backdoor implements a modular structure, it implements RAT functionalities and is able to execute other malicious payloads, in the form of plugins or standalone binaries. The malware support 50 different commands and is able to perform multiple actions, such as gathering system information, injecting malicious DLLs into memory, enumerating files in storage, exfiltrating data, listing and killing processes, and uploading files to the C2.

The researchers have analyzed six versions of the SombRAT, the first version dates back to October 2019, while the latest variant was spotted in August. Experts believe that the malware is under active development.

Blackberry analysts noticed that one of the IP addresses employed in the attacks of the group has been linked to an earlier phishing campaign initially attributed to the Russia-linked APT28 group. This circumstance suggests that the Costaricto APT carried out attacks on behalf of other threat actors.

“Finally, the diversity and geography of the victims doesn’t fit a picture of a campaign sponsored by a particular state; rather, it’s a mix of targets that could be explained by different assignments commissioned by disparate entities.” concluded the report. “With the undeniable success of Ransomware-as-a-Service (RaaS), it’s not surprising that the cybercriminal market has expanded its portfolio to add dedicated phishing and espionage campaigns to the list of services on offer. Outsourcing attacks or certain parts of the attack chain to unaffiliated mercenary groups has several advantages for the adversary – it saves their time and resources and simplifies the procedures, but most importantly it provides an additional layer of indirection, which helps to protect the real identity of the threat actor.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.