CostaRicto APT Description
CostaRicto is the name given to a hacker group that is apparently operating as a mercenary and offering their services for hire. Its activities were detected by the infosec experts at BlackBerry, who uncovered a wide-range espionage campaign. Such 'hackers-for-hire' groups are appearing more and more in the cybercrime underworld as they possess capabilities and tools on par with state-sponsored Advanced Persistent Threat (APT) groups but can operate on a world-wide level across multiple industry sectors in accordance with the needs of their clients.
CostaRicto employs a toolset of custom-built malware threats that were either created by the hackers themselves or were commissioned exclusively. In the cyber-espionage campaign, the hackers deployed two loader types depending on the architecture of the targeted computer, a unique strain of backdoor malware called SombRAT, HTTP, and reverse-DNS payload stagers, a port scanner 'nmap,' and PsExec. For 32-bit systems, the hackers use CostaBricks - a custom loader that implements a virtual machine mechanism that initiates a bytecode responsible for the description, loading into memory, and execution of the malware payload. If the target uses a 64-bit system, CostaRicto deploys a different loader - PowerSploit's reflective PE injection module.
The attack chain begins with, most likely, the use of collected credentials gathered through phishing or simply bought on the dark Web. Then, CostaRicto set up the communication channel with the Command-and-Control (C&C, C2) infrastructure of the campaign, managed through the TOR network or a proxies system. For communication within the compromised network, a system of SSH tunnels is created. Certain domain names found to be hardcoded into the malware tools of CostaRicto are designed to spoof legitimate domains - the corrupted 'sbidb.net' domain mimics the domain of the State Bank of India Bangladesh, which is 'sbidb.com.' A curious fact that could be accidental is CostaRicto's reuse of an IP address that has been observed in a phishing campaign conducted by another hacker group previously - the APT threat actor known as APT28.
Being a group of hackers that offer their services to the highest paying client, CostaRicto's operations can be traced to victims all across the world. Targets have been identified in China, the U.S., Australia, Austria, the Netherlands, Singapore, France, India, Mozambique, Singapore and Portugal. The only pattern that could be surmised is a slightly-higher concentration of compromised machines in the South-Asian region.