CostaBricks is a custom-made loader used to deliver the 32-bit version of the SombRAT Backdoor malware. Both tools are part of the arsenal of a hacker group named CostaRicto that is operating as a mercenary for hire. For CostaBricks, the hackers created a unique implementation of a virtual machine mechanism responsible for executing an embedded bytecode that decodes and injects the final payload into memory. This virtual machine mechanism is comprised of C++ objects and classes and has 20 different instructions that each has between zero and three operands. The purpose of this method is to increase the obfuscation of the threatening activities performed by the threat. Further anti-analysis measures found in the threat include the entire, unobfuscated code of a legitimate open-source application named Blink. This code never gets executed.
The bytecode used by CostaBricks remained identical throughout the different samples of the threat that were analyzed by the infosec experts at BlackBerry. It is exactly 1800 lines long, but most of them are simply fluff that has been inserted for obfuscation purposes. The bytecode's actual programming is responsible for decoding the embedded malware payload, loading it into the memory of the compromised system and then executing it. The payload is decrypted through a custom symmetric algorithm with hardcoded keys that can be described as a combination of SHL/SHR/SUB/ADD/XOR.