Security researchers from BlackBerry Research are tracking a cyber espionage group dubbed CostaRicto whose targets are unusually varied, indicating that it's selling hacker-for-hire services to other entities. The group uses its own custom-built malware and a complex network of proxies, VPNs and SSH tunnels to hide its activity.
"Mercenary groups offering APT-style attacks are becoming more and more popular," the BlackBerry researchers said in their report. "Their tactics, techniques, and procedures (TTPs) often resemble highly sophisticated state-sponsored campaigns, but the profiles and geography of their victims are far too diverse to be aligned with a single bad actor’s interests."
CostaRicto targets multiple industries, geographic regions
The APT group has been operating since at least October 2019, but potentially as far back as 2017, based on timestamps in samples of its unique backdoor program. Its victims span multiple industry verticals, but many of them are financial institutions.
In terms of geography, the targets are based all over the world, but a concentration has been observed in South Asia, especially in India, Bangladesh and Singapore, suggesting the group might be based in and working for entities in that region. The list of other countries where victims were observed include China, the US, Bahamas, Australia, Mozambique, France, the Netherlands, Austria, Portugal and the Czech Republic.
Hacker-for-hire groups sit at the intersection of two trends observed over the past few years: the adoption of APT techniques by non-state groups, including those traditionally associated with cyber crime, and the commoditisation of cyber espionage through a new APT-as-a-service model.
These changes in the threat landscape challenge traditional threat models and leave many organisations exposed because they haven't considered themselves as a potential target for cyber espionage in the past and don't have the necessary defences in place.
This year we've seen reports of mercenary groups targeting law firms, financial consultancies and 3D modelling companies, suggesting that no organisation, regardless of industry, can afford to ignore APTs anymore.
"With the undeniable success of ransomware-as-a-service (RaaS), it's not surprising that the cyber criminal market has expanded its portfolio to add dedicated phishing and espionage campaigns to the list of services on offer," the researchers said.
"Outsourcing attacks or certain parts of the attack chain to unaffiliated mercenary groups has several advantages for the adversary – it saves their time and resources and simplifies the procedures, but most importantly it provides an additional layer of indirection, which helps to protect the real identity of the threat actor."
The BlackBerry researchers don't know for certain how the group gains initial access into a victim's environment, but believes it could involve stolen credentials that have been acquired through phishing or from other sellers on the dark web. Selling access to compromised systems is also a common practice on underground forums.
Once the attackers are on the victim's network, they set up SSH tunnels back to themselves and deliver a payload dropper via HTTP or reverse-DNS and then execute it using a scheduled task.
This dropper loads a custom backdoor or remote access trojan (RAT) that the attackers call Sombra. The name is a reference to a character from the game Overwatch who specialises in espionage and intelligence assessment.
The researchers have seen the attackers use a loader from the PowerSploit open-source project, but also a custom dropper called CostaBricks that uses virtual machine techniques to inject code into memory in an attempt to hide its malicious activities from security monitoring products that are running locally on the computer.
"This attempt at obfuscation, although not new, is rather uncommon in relation to targeted attacks," the researchers said. "Code virtualisation has been most prevalent in commercial software protectors which use much more advanced solutions; simpler virtual machines are sometimes also featured in off-the-shelf malicious packers used by widespread financial crime-ware.
"This particular implementation, however, is unique (there are just a handful of samples in the public domain) and seems to be used only with SombRAT payloads – which makes us believe it is a custom-built tool that is private to the attackers."
The Sombra, or SombRAT, backdoor is written in C++ that has a plugin architecture. The malicious tool supports some 50 different commands, but is primarily used to execute additional independent payloads or its own plugins, kill processes, collect system information, upload files to the command-and-control (C2) server and other simple actions.
Communication with the C2 infrastructure is encrypted with RSA-2048 and done over DNS tunnelling with subdomains generated on-the-fly using a custom algorithm. The attackers use domain names that closely resemble legitimate ones--for example, one typosquatting a domain owned by the State Bank of India.
One of the IP addresses used by CostaRicto's C2 infrastructure was used in the past in a phishing campaigns associated with the Russian group APT-28, also known as Fancy Bear, but the BlackBerry researchers don't think there is any connection between the two groups.
The C2 servers are managed by the group through the Tor anonymity network and a layer of web proxies, indicating above average operational security. The Sombra backdoor itself is in constant development, uses a detailed versioning system and well-structured code, suggesting it's a long-term project maintained by skilled developers.
"Although in theory the customers of a mercenary APT might include anyone who can afford it, the more sophisticated actors will naturally choose to work with patrons of the highest profile – be it large organisations, influential individuals, or even governments," the BlackBerry researchers said. "Having a lot at stake, the cyber criminals must choose very carefully when selecting their commissions to avoid the risk of being exposed."