SombRAT is a backdoor threat observed to be deployed in campaigns by what is believed to be a threat actor group called CostaRicto that is offering hacking services for hire. The tools they use, including SombRAT, appear to be either custom-built or specifically crafter for this hacker group as they do not appear outside of CostaRicto operations.
Certain details found inside the code of SombRAT point that at some point, the malware threat was named Sombra, a character from the popular game Overwatch that is described as espionage and intelligence assessment specialist that possesses great hacking skills. Written in C++, SombRAT is characterized by having typical backdoor functionality that is enchanted through a plugin architecture. This means that the CostaRicto attackers use the threat mainly as an intermediary that drops and executed additional corrupted plugins or binaries and can exfiltrate specific system data, terminate processes, and upload files to the Command-and-Control (C&C, C2) infrastructure on its own.
Upon being executed on the targeted computer, SombRAT first checks of its being run as a service and then creates a run-once mutex containing &HOSTNAME& followed by either 'S,' 'U,' or 'SU,' determined by the specific privileges that the threat was executed with. When fully deployed, SombRAT can recognize 50 different commands that can be broadly divided into six groups, each having a separate interface - Core, Taskman, Config, Storage, Debug and Network.
Before it can start receiving commands, SombRAT must establish a connection with the C2 servers. This is achieved through either DNS tunneling or TCP sockets, with the communication traffic being encrypted with RSA-2048. The C2 domain is hardcoded into the threat, while the subdomain is determined through the use of a Domain Generation Algorithm (DGA).
All data gathered by SombRAT alongside its configuration details and any downloaded plugins are placed in a file created in the %TEMP% directory with a custom database format. The file uses AES-256 as an encryption algorithm, and every time the malware wants to either read what is already stored or add new information, it must decrypt and then re-encrypt the entire file.