A new Advanced Persistent Threat (APT) for hire group named CostaRicto was recently identified by the Blackberry Research and Intelligence Team. The group—at this time—has not focused on any specific vertical and its target countries are widespread: United States, Australia, the Bahamas, France, India, Singapore and several European countries. Mercenary APT groups are by no means new—in fact DeathStalker and Bahamut, two similar groups, were discovered by cybersecurity researchers earlier this year.

What Is It?

CostaRicto uses social engineering (phishing) to gain access to a target network and then deploys a rarely seen piece of custom malware called Sombra or SombRAT to act as the backdoor component. The 64-bit version of SombRAT is deployed using a PowerShell loader, a common and straightforward method. Next, a 32-bit version is deployed, hiding its true nature via a more sophisticated piece of malware that uses a custom virtual machine. This advanced technique is often used by executable protectors with commercial software.

The SombRAT backdoor, like most remote access trojans (RATs), supports plugin modules and contains 50 backdoor commands that includes functionality to download and execute other malware, manipulate files and processes, extract system information and exfiltrate data to the C2 (command and control) site. The C2 site’s base domain name is hardcoded, lightly obfuscated with a single byte XOR. In turn, it is used to calculate the subdomain which will be connected to on the dark web using Tor. Researchers note that the code is well structured, appears to be under constant development and utilizes a detailed versioning system, indicating it is part of CostaRicto’s base toolset, rather than a one-off campaign.

More mercenary APT groups will likely appear over time, as “as-a-service” offerings gain in popularity and offer advantages to attackers, even as a small part of an overall campaign. Advantages include complicating attempts at attributing an attack, obfuscating the true source of the attack and subverting the need for an attacker to develop their own new tools.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. It is believed CostaRicto gains access to a target’s networks via credentials obtained as a result of social engineering attacks.

When/How Did BluVector Detect It?

Eleven samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown samples would have been detected an average of 31 months prior to their release.