BlackBerry Research and Intelligence team have discovered a cyber-espionage campaign that's targeted at financial firms, dubbed CostaRicto, which appears to be operated by a group of APT “hackers-for-hire” mercenaries.

The hackers-for-hire operation was discovered using a strain of previously undocumented malware that targets South Asian financial institutions and entertainment companies globally; albeit mercenary groups that offers APT-style cyberattacks are becoming more and more popular.

The tactics, techniques, and procedures (TTPs) employed by these APT “hackers-for-hire” mercenaries often mimics highly sophisticated state-sponsored campaigns, though the profiles of their victims are far too more diverse to be aligned to a single bad actor’s interests.

The Modus Operandi of APT Hackers For Hire



The APT Hackers For Hire modus operandi is quite straight-forward, with the initial foothold in the target's environment through stolen credentials, the hackers set up an SSH tunnel to download a backdoor and payload loader dubbed CostaBricks which implements a C++ virtual machine mechanism that decode and inject bytecode payload into the victim's device memory.



And the command-and-control (C2) servers are managed via DNS tunneling, with the backdoor delivered by the CostaBricks loaders as a C++ compiled executable called SombRAT, named after a Mexican hacker, known as Sombra and an infiltrator from Overwatch, the popular multiplayer game.

The biggest concentration of targets appear to be in South Asia, mostly: Singapore, India, Bangladesh and China, which suggests that the threat actor themselves could be based in these regions, but working for a more wider range of commissions from diverse clients around the world.

Albeit, the identities of the bad actors behind the operation remains unknown, but one of the IP addresses on which the backdoor domains were registered has been linked to an earlier phishing campaign attributed to Russia-backed APT28 hacking group, hinting at a possible link that the phishing campaigns could have been outsourced on behalf of the actual mercenaries.

About The BlackBerry Research and Intelligence Unit



The BlackBerry Research and Intelligence unit examines emerging and persistent threats, in order to provide intelligence analysis for the benefit of organizations they serve.

And this isn't the first hackers-for-hire operation uncovered by the BlackBerry Research and Intelligence team, the first was a series of campaigns by a group called Bahamut that exploited zero-day flaws, malicious and disinformation operations to target victims in the Middle East and South Asia.

CostaRicto Campaign: APT 'Hackers For Hire' Operation targets financial firms

BlackBerry Research and Intelligence team have discovered a cyber-espionage campaign that's targeted at financial firms, dubbed CostaRicto, which appears to be operated by a group of APT “hackers-for-hire” mercenaries.

The hackers-for-hire operation was discovered using a strain of previously undocumented malware that targets South Asian financial institutions and entertainment companies globally; albeit mercenary groups that offers APT-style cyberattacks are becoming more and more popular.

The tactics, techniques, and procedures (TTPs) employed by these APT “hackers-for-hire” mercenaries often mimics highly sophisticated state-sponsored campaigns, though the profiles of their victims are far too more diverse to be aligned to a single bad actor’s interests.

The Modus Operandi of APT Hackers For Hire



The APT Hackers For Hire modus operandi is quite straight-forward, with the initial foothold in the target's environment through stolen credentials, the hackers set up an SSH tunnel to download a backdoor and payload loader dubbed CostaBricks which implements a C++ virtual machine mechanism that decode and inject bytecode payload into the victim's device memory.



And the command-and-control (C2) servers are managed via DNS tunneling, with the backdoor delivered by the CostaBricks loaders as a C++ compiled executable called SombRAT, named after a Mexican hacker, known as Sombra and an infiltrator from Overwatch, the popular multiplayer game.

The biggest concentration of targets appear to be in South Asia, mostly: Singapore, India, Bangladesh and China, which suggests that the threat actor themselves could be based in these regions, but working for a more wider range of commissions from diverse clients around the world.

Albeit, the identities of the bad actors behind the operation remains unknown, but one of the IP addresses on which the backdoor domains were registered has been linked to an earlier phishing campaign attributed to Russia-backed APT28 hacking group, hinting at a possible link that the phishing campaigns could have been outsourced on behalf of the actual mercenaries.

About The BlackBerry Research and Intelligence Unit



The BlackBerry Research and Intelligence unit examines emerging and persistent threats, in order to provide intelligence analysis for the benefit of organizations they serve.

And this isn't the first hackers-for-hire operation uncovered by the BlackBerry Research and Intelligence team, the first was a series of campaigns by a group called Bahamut that exploited zero-day flaws, malicious and disinformation operations to target victims in the Middle East and South Asia.

No comments