Found advanced cyber-espionage mercenaries attacking financial structures around the world

An APT company that allegedly makes contracts for some form of cyber surveillance for money has been discovered by BlackBerry experts. The group uses its own instruments entirely, and they have a rather sophisticated style.

Monday, November 23, 2020, 10:05 GMT

Contractual duties
A modern hacker community that operates out of commercial interests has been identified by BlackBerry experts, but at the same time mimics all types of “state” hackers quite effectively or executes “contracts” in the interests of national state governments.

The party known as CostaRicto, is currently targeting targets primarily in South Asia (India, Bangladesh, Singapore), while organizations in France, Holland, Austria, China, the United States and Australia are among its casualties. A large number of the institutions under attack are linked to the finance industry. Obviously, these are the goals that are most involved in attacking consumers.

BlackBerry experts were unable to determine the primary vector of the infiltration of CostaRicto operators into the networks under attack. Using previously corrupted access credentials, that is, exposed and not replaced by time logins and passwords, is one of the most possible choices.

The attackers deploy SSH tunnels after breaching the perimeter, as well as a stager that installs a special backdoor via HTTP and reverse DNS queries, called Sombra.

Using the PowerSploit platform or a special dropper built on a virtual machine named CostaBricks, the backdoor is distributed to vulnerable devices by the manipulation of reflective DLL injection.

High standard of preparation and protection of activities
The experts have observed the CostaRicto operators’ improved degree of organizational security: they use a variety of proxy servers and Tor links to obscure their operations and keep the attack from being tracked back to the original source.

In 2019, the malware suite used by CostaRicto was first spotted. Since then it has been seen very occasionally by security analysts, reflecting the limited focus of the attacks, as well as the fact that it is not likely to be anything other than CostaRicto itself. He loves it.

They are actively developing these services. Experts from BlackBerry noticed that their code is very well designed, so the malware’s features can be quickly expanded.