A new mercenary hacker group tracked as CostaRicto by BlackBerry researchers is selling its services to entities requiring APT-level hacking expertise in cyber-espionage campaigns spanning the globe and targeting a multitude of industry sectors.
This hacker-for-hire group’s toolset includes custom and never-before-seen malware, as well as the use of SSH tunnels set up on their victims’ networks and VPN proxies that enables them to avoid detection and hide their malicious activity.
“With the undeniable success of Ransomware-as-a-Service (RaaS), it’s not surprising that the cybercriminal market has expanded its portfolio to add dedicated phishing and espionage campaigns to the list of services on offer.” researchers with BlackBerry Research and Intelligence team said.
“Outsourcing attacks or certain parts of the attack chain to unaffiliated mercenary groups has several advantages for the adversary – it saves their time and resources and simplifies the procedures, but most importantly it provides an additional layer of indirection, which helps to protect the real identity of the threat actor.”
The APT mercenaries have targeted organizations from almost all continents including Europe (France, Netherlands, Austria), Asia (China), the Americas (U.S.), and Australia, with a focus on targets from South Asia (India, Bangladesh, and Singapore).
This mix of targets from different countries can be explained by the various assignments commissioned by a diverse range of entities potentially including large organizations and even governments.
Their attacks focused on South Asia provides some hints at CostaRicto’s base of operations from where they launch cyber-espionage campaigns on behalf of customers.
CostaRicto’s victims come from a wide range of industries and “are diverse across several verticals, with a large portion being financial institutions.”
The group has been active since at least October 2019 based on their CostaRicto malware timestamps, although some of their payload stagers are as old as 2017 suggesting that they have been used in previous campaigns but for delivering other malicious payloads.
“Outsourcing an espionage campaign, or part of it, to a mercenary group might be very compelling, especially to businesses and individuals who seek intelligence on their competition yet may not have the required tooling, infrastructure, and experience to conduct an attack themselves,” BlackBerry said.
“But even notorious adversaries experienced in cyber-espionage can benefit from adding a layer of indirection to their attacks. By using a mercenary as their proxy, the real attacker can better protect their identity and thwart attempts at attribution.”
To gain access to their victims’ networks, the hackers use an unknown infiltration vector but BlackBerry says that stolen credentials, phished or bought from unknown sources, could be a possibility.
Once in, they deploy remote SSH tunnels and an HTTP and reverse-DNS payload stager used to deploy a never-before-seen backdoor dubbed Sombra.
The backdoor is delivered on to compromised systems via a PowerSploit reflective loader or a custom-built VM-based dropper known as CostaBricks.
By managing their command-and-control servers through a combination of Tor connections and a layer of proxies, CostaRicto also shows “better-than-average operation security.”
“The toolset used in CostaRicto campaign consists of bespoke malware that appeared around October 2019 and has been rarely seen in the wild since. It, therefore, appears to be private to this particular adversary,” BlackBerry explains.
“Moreover, the constant development, detailed versioning system and well-structured code that allows for easy functionality expansion – all suggest that the toolset is part of a long-term project, rather than a one-off campaign.”