Cybersecutity

Hacker-for-hire group CostaRicto outsourcing cyber-espionage

CostaRicto targets can be found the world over: in Europe, the Americas, Asia, Australia, and Africa.

A new mercenary hacker group tracked as CostaRicto by BlackBerry researchers is selling its services to entities requiring APT-level hacking expertise in cyber-espionage campaigns spanning the globe and targeting a multitude of industry sectors. 

This hacker-for-hire group’s toolset includes custom and never-before-seen malware, as well as the use of SSH tunnels set up on their victims’ networks and VPN proxies that enables them to avoid detection and hide their malicious activity.

“With the undeniable success of Ransomware-as-a-Service (RaaS), it’s not surprising that the cybercriminal market has expanded its portfolio to add dedicated phishing and espionage campaigns to the list of services on offer.” researchers with BlackBerry Research and Intelligence team said.

“Outsourcing attacks or certain parts of the attack chain to unaffiliated mercenary groups has several advantages for the adversary – it saves their time and resources and simplifies the procedures, but most importantly it provides an additional layer of indirection, which helps to protect the real identity of the threat actor.”

The APT mercenaries have targeted organizations from almost all continents including Europe (France, Netherlands, Austria), Asia (China), the Americas (U.S.), and Australia, with a focus on targets from South Asia (India, Bangladesh, and Singapore).

This mix of targets from different countries can be explained by the various assignments commissioned by a diverse range of entities potentially including large organizations and even governments.

Their attacks focused on South Asia provides some hints at CostaRicto’s base of operations from where they launch cyber-espionage campaigns on behalf of customers.

CostaRicto’s victims come from a wide range of industries and “are diverse across several verticals, with a large portion being financial institutions.”

The group has been active since at least October 2019 based on their CostaRicto malware timestamps, although some of their payload stagers are as old as 2017 suggesting that they have been used in previous campaigns but for delivering other malicious payloads.

“Outsourcing an espionage campaign, or part of it, to a mercenary group might be very compelling, especially to businesses and individuals who seek intelligence on their competition yet may not have the required tooling, infrastructure, and experience to conduct an attack themselves,” BlackBerry said.

“But even notorious adversaries experienced in cyber-espionage can benefit from adding a layer of indirection to their attacks. By using a mercenary as their proxy, the real attacker can better protect their identity and thwart attempts at attribution.”

CostaRicto’s Toolset

To gain access to their victims’ networks, the hackers use an unknown infiltration vector but BlackBerry says that stolen credentials, phished or bought from unknown sources, could be a possibility.

Once in, they deploy remote SSH tunnels and an HTTP and reverse-DNS payload stager used to deploy a never-before-seen backdoor dubbed Sombra.

The backdoor is delivered on to compromised systems via a PowerSploit reflective loader or a custom-built VM-based dropper known as CostaBricks.

By managing their command-and-control servers through a combination of Tor connections and a layer of proxies, CostaRicto also shows “better-than-average operation security.”

“The toolset used in CostaRicto campaign consists of bespoke malware that appeared around October 2019 and has been rarely seen in the wild since. It, therefore, appears to be private to this particular adversary,” BlackBerry explains.

“Moreover, the constant development, detailed versioning system and well-structured code that allows for easy functionality expansion – all suggest that the toolset is part of a long-term project, rather than a one-off campaign.”

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.

 

Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies.Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services