Costaricto APT: Cyber mercenaries use previously undocumented malware

CostaRicto APT is targeting South Asian financial institutions and global entertainment companies with undocumented malware.

Blackberry researchers have documented the activity of a hackers-for-hire group, dubbed CostaRicto, that has been spotted using a previously undocumented piece of malware to target South Asian financial institutions and global entertainment companies.

“During the past six months, the BlackBerry Research and Intelligence team have been monitoring a cyber-espionage campaign that is targeting disparate victims around the globe.” reads the analysis published by BlackBerry. “The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities.”

CostaRicto targeted entities worldwide, most of them are in India, Bangladesh, Singapore, and China, suggesting that the threat actor could be based in South Asia.

Upon gaining access to the target’s infrastructure using stolen credentials, the cyber mercenaries set up an SSH tunnel to download a backdoor and a payload loader called CostaBricks. CostaBricks is a custom VM-based payload loader that executes an embedded bytecode to decode and inject the payload directly into the memory of the target system.

CostaRicto was observed using the CostaBricks loader to deliver a C++ compiled executable called SombRAT (the name comes from the Overwatch game character Sombra).

The backdoor implements a modular structure, it implements RAT functionalities and is able to execute other malicious payloads, in the form of plugins or standalone binaries. The malware support 50 different commands and is able to perform multiple actions, such as gathering system information, injecting malicious DLLs into memory, enumerating files in storage, exfiltrating data, listing and killing processes, and uploading files to the C2.

The researchers have analyzed six versions of the SombRAT, the first version dates back to October 2019, while the latest variant was spotted in August. Experts believe that the malware is under active development.

Blackberry analysts noticed that one of the IP addresses employed in the attacks of the group has been linked to an earlier phishing campaign initially attributed to the Russia-linked APT28 group. This circumstance suggests that the Costaricto APT carried out attacks on behalf of other threat actors.

“Finally, the diversity and geography of the victims doesn’t fit a picture of a campaign sponsored by a particular state; rather, it’s a mix of targets that could be explained by different assignments commissioned by disparate entities.” concluded the report. “With the undeniable success of Ransomware-as-a-Service (RaaS), it’s not surprising that the cybercriminal market has expanded its portfolio to add dedicated phishing and espionage campaigns to the list of services on offer. Outsourcing attacks or certain parts of the attack chain to unaffiliated mercenary groups has several advantages for the adversary – it saves their time and resources and simplifies the procedures, but most importantly it provides an additional layer of indirection, which helps to protect the real identity of the threat actor.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]