Researchers from the BlackBerry Research and Intelligence team have detailed a new cyber espionage campaign that leverages a previously undocumented malware to attack businesses around the world.
The campaign, dubbed CostaRicto, appears to has been orchestrated by a hack-for-hire group that possess bespoke malware tooling and complex VPN proxy and SSH tunneling capabilities. The list of targets include companies in different countries across Europe, the Americas, Asia, Australia, and Africa, with the biggest concentration of victims in South Asia (especially India, Bangladesh, and Singapore), suggesting that the threat actor could be based in that region, but working on a wide range of commissions from diverse clients. According to the researchers, the victim profiles are diverse across several verticals, with a large portion being financial institutions.
As for the group’s modus operandi, it is nothing new - once gaining an initial foothold in the target's environment via stolen credentials the threat actor establishes an SSH tunnel to download a backdoor and a payload loader called CostaBricks that implements a C++ virtual machine mechanism to decode and inject the bytecode payload into memory. The command-and-control (C2) servers are managed via Tor and/or through a layer of proxies.
The backdoor in question is called SombraRAT named so after Sombra, an Overwatch game character.
“The backdoor used as a foothold is a new strain of never-before-seen malware – a custom-built tool with a suggestive project name, well-structured code, and detailed versioning system. The earliest timestamps are from October 2019, and based on the version numbers, the project appears to be in the debug testing phase. It’s not clear as of now if it’s something that the threat actors developed in-house or obtained for exclusive use as part of beta testing from another entity,” the researchers said.
The SombraRAT is mainly used to download and execute other malicious payloads, it is also able to carry out simple actions like collecting system information, listing and killing processes, and uploading files to the C2.
All the CostaRicto malware samples uncovered by BlackBerry date back to October 2019, but other clues in the group's servers suggest CostaRicto may have been active since 2017.
“Outsourcing an espionage campaign, or part of it, to a mercenary group might be very compelling, especially to businesses and individuals who seek intelligence on their competition yet may not have the required tooling, infrastructure and experience to conduct an attack themselves. But even notorious adversaries experienced in cyber-espionage can benefit from adding a layer of indirection to their attacks. By using a mercenary as their proxy, the real attacker can better protect their identity and thwart attempts at attribution,” the researchers noted.