13 November 2020

New cyber mercenary group targets financial, entertainment companies across the globe


New cyber mercenary group targets financial, entertainment companies across the globe

Researchers from the BlackBerry Research and Intelligence team have detailed a new cyber espionage campaign that leverages a previously undocumented malware to attack businesses around the world.

The campaign, dubbed CostaRicto, appears to has been orchestrated by a hack-for-hire group that possess bespoke malware tooling and complex VPN proxy and SSH tunneling capabilities. The list of targets include companies in different countries across Europe, the Americas, Asia, Australia, and Africa, with the biggest concentration of victims in South Asia (especially India, Bangladesh, and Singapore), suggesting that the threat actor could be based in that region, but working on a wide range of commissions from diverse clients. According to the researchers, the victim profiles are diverse across several verticals, with a large portion being financial institutions.

As for the group’s modus operandi, it is nothing new - once gaining an initial foothold in the target's environment via stolen credentials the threat actor establishes an SSH tunnel to download a backdoor and a payload loader called CostaBricks that implements a C++ virtual machine mechanism to decode and inject the bytecode payload into memory. The command-and-control (C2) servers are managed via Tor and/or through a layer of proxies.

The backdoor in question is called SombraRAT named so after Sombra, an Overwatch game character.

“The backdoor used as a foothold is a new strain of never-before-seen malware – a custom-built tool with a suggestive project name, well-structured code, and detailed versioning system. The earliest timestamps are from October 2019, and based on the version numbers, the project appears to be in the debug testing phase. It’s not clear as of now if it’s something that the threat actors developed in-house or obtained for exclusive use as part of beta testing from another entity,” the researchers said.

The SombraRAT is mainly used to download and execute other malicious payloads, it is also able to carry out simple actions like collecting system information, listing and killing processes, and uploading files to the C2.

All the CostaRicto malware samples uncovered by BlackBerry date back to October 2019, but other clues in the group's servers suggest CostaRicto may have been active since 2017.

“Outsourcing an espionage campaign, or part of it, to a mercenary group might be very compelling, especially to businesses and individuals who seek intelligence on their competition yet may not have the required tooling, infrastructure and experience to conduct an attack themselves. But even notorious adversaries experienced in cyber-espionage can benefit from adding a layer of indirection to their attacks. By using a mercenary as their proxy, the real attacker can better protect their identity and thwart attempts at attribution,” the researchers noted.

Back to the list

Latest Posts

Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020