Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

New 'CostaRicto' Hack-for-Hire Group Targets Global Businesses

The group of APT mercenaries uses bespoke malware and strong operation security to target a range of organizations, located primarily in Southeast Asia.

A new hack-for-hire group has been employing custom malware in attacks that target disparate victims worldwide, with the largest concentration in South Asia, BlackBerry researchers report.

Related Content:

Like the Energizer Bunny, Trickbot Goes On and On

The Changing Face of Threat Intelligence

New on The Edge: We Secured the Election. Now How Do We Secure Trust in Results?

This group of advanced persistent threat (APT) mercenaries, dubbed "CostaRicto" by BlackBerry's Research and Intelligence Team, has targeted organizations in countries across Europe, the Americas, Africa, Australia, and Asia, particularly in India, Bangladesh, and Singapore. While CostaRicto has been on the team's radar since January 2020, it estimates it has been active since around late 2019.

The emergence of this group underscores a broader trend of mercenary APT groups appearing on the threat landscape. These attackers' tactics, techniques, and procedures (TTPs) resemble those seen in advanced nation-state attacks, but their victims' profiles and geographies are too diverse to be aligned with a single attacker's goals.

Consider CostaRicto, which uses a combination of bespoke malware and off-the-shelf tools to infiltrate target organizations. Tom Bonner, distinguished threat researcher with BlackBerry, says the most interesting aspects of its operations are SombRAT, a new custom backdoor that emerged in October 2019, and CostaBricks, a custom virtual machine-based payload loader. 

"We've not seen [SombRAT] before; it doesn't relate to any other actors we've observed previously," says Bonner. It's a "fairly interesting" backdoor as well, he continues, noting it's written in C++, a trait that makes it "hideous to pull apart and go through." 

Once group members gain access to a target environment, they are careful about deploying this malware, he explains. The backdoor will never reside on the file system unencrypted. Attackers go to great lengths to ensure the binaries they're using appear only in memory. Their creation of a virtual machine-based loader in CostaBricks is another sign of the attackers' skill level.

"They're really putting many layers of obfuscation over their malware … to try and evade detection from antivirus and EDR products, and other monitoring or behavioral analysis on the system," Bonner says. Operational security is also strong: Its command-and-control servers are managed via Tor and/or through a layer of proxies, and it creates a complex network of SSH tunnels in the victim's environment. 

In a writeup of their findings on CostaRicto, researchers say their tools' constant development, detail versioning system, and well-structured code that allow for expansion of functionality all indicate the group's tool set is part of a long-term project rather than a one-off campaign. Eric Milam, vice president of research operations at BlackBerry, anticipates they could be preparing for a large-scale attack. Right now, it's unclear exactly what its motivations are.

"They seem to be laying the groundwork for something bigger," he says, noting much of their activity was intended to hide lateral movement, conceal data exfiltration, and other tasks.

SombRAT indicates the group is well-funded and has a level of sophistication beyond simply grabbing things off the shelf, though it does also use PowerSploit's reflective PE injection modules, nmap port scanner, and PsExec in its operations. As with other hack-for-hire groups, custom malware and other new techniques can throw investigators off the attackers' scent. 

"It's making our lives a lot harder to try and track down the original threat actors, once they've engaged with the mercenaries to carry out their attacks," Bonner explains. "All of a sudden we're faced with new TTPs and indicators and things like that; they don't look like previous known campaigns we've monitored." These factors, combined with disparate targeting across several geographies, can make the already-difficult task of attribution even more challenging. 

The Growing Pattern of Hack-for-Hire Organizations
The growth of organized cybercrime has allowed attackers to specialize, and profit, in what they're good at. Some are skilled at developing ransomware applications; others are handy in breaking into managed security service providers. This enables them to help each other conduct more effective attacks.

Hack-for-hire operations have emerged from this trend and are poised to continue growing. While they help advanced attackers hide their activity, that isn't the only reason, Milam says.

"I always picture these folks as an organization much like outs, where there's different projects and different leaders," he explains. "I think it's just easier for attackers to outsource things to a trusted entity, and I think we're going to see a lot more nation-states do that."

Researchers noted several similarities between CostaRicto and Bahamut, another mercenary group involved in attacks targeting government businesses and officials in the Middle East and South Asia. Similar to Bahamut, CostaRicto is clear in its targets, has strong operational security, and uses bespoke malware in its attacks. "Those all smell a lot like Bahamut," he says, especially considering the region, but researchers couldn't definitively connect the two groups. 

"The high-level strokes all appear to be the same," Milam says. "They appear to be working out of the same region [and have] completely disparate targets that make no sense. Nation-states usually have a rhyme or reason to be attacking the way they're attacking, most obviously geopolitically motivated. These folks seem to be willing to take on whatever target is paid for."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious u...
PUBLISHED: 2021-06-16
Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version.
PUBLISHED: 2021-06-16
TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations.
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-o...
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must b...