Threat Alert – ‘CostaRicto’ Hack-for-Hire Mercenary Group : Targets Global Businesses

A hackers-for-hire operation has been discovered using a strain of previously undocumented malware to target South Asian financial institutions and global entertainment companies.

The BlackBerry Research and Intelligence team have been monitoring a cyber-espionage campaign that is targeting disparate victims around the globe. The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities.

Targeting

Their targets are located in numerous countries across the globe with just a slight concentration in the South-Asian region:

India

Bangladesh

Singapore

China

U.S.

Bahamas

Australia

Mozambique

France

Netherlands

Austria

Portugal

Czechia

The victims’ profiles are diverse across several verticals, with a large portion being financial institutions.

Delivery

After gaining access to the victim’s environment (presumably by using stolen credentials, either obtained via phishing, or bought on the dark web), the attacker sets up remote tunnelling using a SSH tool. The tool is configured to redirect traffic from a malicious domain to a proxy that is listening on a local port. The tunnel is authenticated using the attacker’s private key.

In order to pull down the backdoor, a payload stager, either HTTP or reverse-DNS, is executed with the use of a scheduled task.

The backdoor comes either wrapped up in a PowerSploit reflective loader, or in the form of a custom-built dropper that uses a simple virtual machine (VM) mechanism to decode and inject the payload.

In addition to managing command-and-control (C2) servers via DNS tunneling, the backdoor is a C++ compiled executable called SombRAT.

It can also perform other simple actions, like collecting system information, listing and killing processes, and uploading files to the C2.

Indicators of Compromise (IoCs):

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Indicator	Type	Description
130fa726df5a58e9334cc28dc62e3ebaa0b7c0d637fce1a66daff66ee05a9437	SHA256	SombRAT x86 loader
8062e1582525534b9c52c5d9a38d6b012746484a2714a14febe2d07af02c32d5	SHA256	SombRAT x86 loader
d69764b22d1b68aa9462f1f5f0bf18caebbcff4d592083f80dbce39c64890295	SHA256	SombRAT x86 loader
f6ecdae3ae4769aaafc8a0faab30cb66dab8c9d3fff27764ff208be7a455125c	SHA256	SombRAT x86 loader
561bf3f3db67996ce81d98f1df91bfa28fb5fc8472ed64606ef8427a97fd8cdd	SHA256	SombRAT x86 payload (memory dump)
8323094c43fcd2da44f60b46f043f7ca4ad6a2106b6561598e94008ece46168b	SHA256	SombRAT x86 payload
ee0f4afee2940bbe895c1f1f60b8967291a2662ac9dca9f07d9edf400d34b58a	SHA256	SombRAT x86 payload (UPX)
ee0f4afee2940bbe895c1f1f60b8967291a2662ac9dca9f07d9edf400d34b58a
70d63029c65c21c4681779e1968b88dc6923f92408fe5c7e9ca6cb86d7ba713a	SHA256	SombRAT encoded payload (x64)
79009ee869cec789a3d2735e0a81a546b33e320ee6ae950ba236a9f417ebf763	SHA256	SombRAT decoded payload (x64)
d8189ebdec637fc83276654635343fb422672fc5e3e2818df211fb7c878a3155	SHA256	Payload stager
fa74f70baa15561c28c793b189102149d3fb4f24147adc5efbd8656221c0960b	SHA256	GO-socks5 proxy
c0db3dadf2e270240bb5cad8a652e5e11e3afe41b8ee106d67d47b06f5163261	SHA256	Pcheck proxy
6df8271ae0380737734b2dd6d46d0db3a30ba35d7379710a9fb05d1510495b49	SHA256	Pcheck proxy
7424d6daab8407e85285709dd27b8cce7c633d3d4a39050883ad9d82b85198bf	SHA256	Pscan port scanner
svolcdst.exe	Filename	SombRAT loader
tunnusvcen.exe	Filename	SombRAT loader
C:\Projects\Sombra\_Bin\x64\Release\Sombra.pdb	PDB path	SombRAT x64
C:\Wokrflow\CostaRicto\Release\CostaBricks.pdb	PDB path	SombRAT loader
%HOSTNAME%UI724	Mutex	Run-once mutex
%HOSTNAME%SUI724	Mutex	Run-once mutex
sbibd[.]net	Domain	SombRAT C2
infosportals[.]com	Domain	SombRAT C2
akams[.]in	Domain	SombRAT C2
newspointview[.]com	Domain	SombRAT C2
159.65.31.84	IP	SombRAT hosting place
212.83.61.227	IP	sbibd[.]net
144.217.53.146	IP	sbibd[.]net, akams[.]in, infosportals[.]com
45.89.175.206	IP	akams[.]in
45.138.172.54	IP	newspointview[.]com
212.114.52.98	IP	infosportals[.]com

Yara Rules:

import “pe”

import “hash”

rule costaricto_vm_dropper

{

    meta:

        description = “Rule to detect SombRAT loader by code similarity”

        author = “BlackBerry Threat Hunting and Intelligence Team”

    strings:

        // vm class name

        $classname = “VMBASERUNNER” ascii wide nocase

        // start of vm bytecode

        $vmbytecode = {37C7359438C73594}

        // start of encrypted payload

        $encpayload_1 = {77D2C7AC59B2EB0DF37028AC950971FB}

       // binary string from enc payload (some payloads differ only in the header)

        $encpayload_2 = {06359D29C83125C321C201CF9AE7D1626B8F4281C33617EECE86BD106C628FE593936F00C2C

68E28843BE5374F876840FCD1BFD014D5DEFF4BA8EB6A5FFFB24F932138B04C1BE6D5BD8BB572B8116799AE1C8F0

D5DB774ABA4884B9E706981FC3740B4CD891F8A0EA6900D41B675CFC98A}

        // vm execution loop

        $vmcode_1 = {8B ?? 08 8B ?? 0C 89 ?? 29 ?? C1 ?? 02 39 ?? 74 4E 83 ?? ?? 08 8D ?? ?? 8B ?? ?? 8D ?? 01 89 ?? 8B ?? ?? 66 83 ?? 08 00 75 28 8B ?? ?? 8D ?? 04 5? 5? E8 ?? ?? FF FF 8B ?? ?? 83 ?? 0C 5? 8B ?? 0C 89 ?? 5? FF ?? 14 83 C4 08 8B ?? 8B ?? 08 8B ?? 0C 89 ?? 29 ?? C1 ?? 02 39 ?? 89 ?? 75 B9}

        // vm execution loop (sample from Nov 2019)

        $vmcode_2 = {8B ?? 4? 89 ?? 8B ?? 08 8B ?? 88 33 ?? 66 39 ?? 08 75 19 8D ?? 04 5? 8D ?? 08 E8 ?? ?? 00 00 8B ?? 8D ?? 0C 5? 5? FF ?? 5? 5? 8B ?? 8B ?? 0C 2B ?? 08 C1 ?? 02 3B ?? 75 C7}

    condition:

        uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and any of them

}

rule costaricto_vm_dropper_pdb_path

{

    meta:

        description = “Rule to detect samples with CostaRicto PDB path”

        author = “BlackBerry Threat Hunting and Intelligence Team”

        pdb_string = “C:\\Wokrflow\\CostaRicto\\Release\\CostaBricks.pdb”

    strings:

        $a = “CostaRicto” ascii wide nocase

        $b = “CostaBricks.pdb” ascii wide nocase

        $c1 = “C:\\Wokrflow\\” ascii wide nocase

        $c2 = “Release” ascii wide nocase

        $c3 = “.pdb” ascii wide nocase     

    condition:

        uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and ($a or $b or all of ($c*))

}

rule costaricto_sobmrat_pdb_path

{

    meta:

        description = “Rule to detect samples with SombRAT PDB path”

        author = “BlackBerry Threat Hunting and Intelligence Team”

        pdb_string = “C:\\Projects\\Sombra\\_Bin\\x64\\Release\\Sombra.pdb”

        pdb_string_2 = “c:\\projects\\sombra\\libraries”

    strings:

        $a = “\\Projects\\Sombra\\” ascii wide nocase

        $b = “Sombra.pdb” ascii wide nocase

     condition:

        uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and ($a or $b)

}

rule costaricto_backdoored_blink

{   

    meta:

        description = “Rule to detect backdoored Blink application”

        author = “BlackBerry Threat Hunting and Intelligence Team”

    strings:

        $a1 = “Failed to open target application process!”

        $a2 = “Machine architecture mismatch between target application and this application!”

        $a3 = “Failed to create new communication pipe!”

        $b = “Plauger, licensed by Dinkumware, Ltd.”

   condition:

     uint16(0) == 0x5a4d and filesize < 5MB and filesize > 50KB and ($b and 1 of ($a*))

}

rule costaricto_rich_header

{

    meta:

        description = “Rule to detect Rich header associated with CostaRicto campaign”

        author = “BlackBerry Threat Hunting and Intelligence Team”

    condition:

        pe.rich_signature.toolid(0xf1, 40116) and

        pe.rich_signature.toolid(0xf3, 40116) and

        pe.rich_signature.toolid(0xf2, 40116) and

        pe.rich_signature.toolid(0x105, 26706) and

        pe.rich_signature.toolid(0x104, 26706) and

        pe.rich_signature.toolid(0x103, 26706) and

        pe.rich_signature.toolid(0x93, 30729) and

        pe.rich_signature.toolid(0x109, 27023) and     

        pe.rich_signature.toolid(0xff, 27023) and

        pe.rich_signature.toolid(0x97, 0) and

        pe.rich_signature.toolid(0x102, 27023)

}

rule costaricto_rich_header_august

{

    meta:

        description = “Rule to detect Rich header associated with CostaRicto campaign”

        author = “BlackBerry Threat Hunting and Intelligence Team”

    condition:

        pe.rich_signature.toolid(0xf1, 40116) and

        pe.rich_signature.toolid(0xf2, 40116) and

        pe.rich_signature.toolid(0xf3, 40116) and

        pe.rich_signature.toolid(0x102, 26428) and

        pe.rich_signature.toolid(0x103, 26131) and

        pe.rich_signature.toolid(0x104, 26131) and

        pe.rich_signature.toolid(0x105, 26131) and

        pe.rich_signature.toolid(0x103, 26433) and

        pe.rich_signature.toolid(0x104, 26433) and

        pe.rich_signature.toolid(0x109, 26428) and

        pe.rich_signature.toolid(0x93, 30729) and

        pe.rich_signature.toolid(0xff, 26428)

}

rule costaricto_rich_xor_key

{

    meta:

        description = “Rule to detect Rich header associated with CostaRicto campaign”

        author = “BlackBerry Threat Hunting and Intelligence Team”    

    condition:

        // x86 droppers

        pe.rich_signature.key == 0x2e8d923f or

        pe.rich_signature.key == 0x97d94c45 or

        // x86 payload

        pe.rich_signature.key == 0xef257087 or

        pe.rich_signature.key == 0x4f257087 or

        pe.rich_signature.key == 0x1e816e7e or

        // x64 payload

        pe.rich_signature.key == 0xd1e5ae6c or

        pe.rich_signature.key == 0x5df9c60b

}

rule costaricto_sombrat_unpacked

{

    meta:

        description = “Rule to detect unpacked SombRAT backdoor”

        author = “BlackBerry Threat Hunting and Intelligence Team”

    strings:

        // class names

        $a1 = “PEHeadersBackup”

        $a2 = “PeLoaderDummy”

        $a3 = “PeLoaderLocal”

        $a4 = “PeLoaderBaseClass”

        $a5 = “PDTaskman”

        $a6 = “PDMessageParamArray”

        $a7 = “NetworkDriverLayerWebsockets”

        $a8 = “NetworkDriverLayerDNSReader”

        $a9 = “WaitForPluginIOCPFullyClosed”

        // substitution-encrypted strings

        $b1 = “~ydcv{{rs{~|r”           // installedlike

        $b2 = “~yg{vcqxez”              // winplatform

        $b3 = “~yqxezvc~xyvttrgcrs”     // informationaccepted

        $b4 = “xvsqexzdcxevpr”          // loadfromstorage

        $b5 = “xvsqexzzrzxen”           // loadfrommemory

        $b7 = “xgrydcxevpr”             // openstorage

        $b8 = “g{bp~y{xvstxzg{rcr”      // pluginloadcomplete

        $b9 = “g{bp~yby{xvs”            // pluginunload

        // AES-encrypted strings

        $c1 = {44 5B 7F 52 0C 13 52 1A 16 45 4C 75 65 72 60 53}

        // RSA public key

        $d1 = {EF C9 77 B9 A3 8E 48 92 77 C8 E1 E1 0C 46 35 2B}

    condition:

        uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and any of them

}

rule costaricto_pcheck_proxy

{

    meta:

        description = “Rule to detect a custom proxy tool related to the CostaRicto campaign”

        author = “BlackBerry Threat Hunting and Intelligence Team”     

    strings:

        $a = “exe.exe host host_port proxy_host proxy_port”

        $b = “Tool jobs done”

    condition:

        uint16(0) == 0x5a4d and filesize < 500KB and filesize > 10KB and ($a or $b)

}

rule costaricto_pscan_port_scanner

{

    meta:

        description = “Rule to detect a custom proxy tool related to the CostaRicto campaign”

        author = “BlackBerry Threat Hunting and Intelligence Team”     

    strings:

        $a1 = “Invalid arguments count (ver “

        $a2 = “Example: ./pscan”

        $a3 = “127-130.0.0.1”

        $b1 = “[output.txt]”

        $b2 = “Invalid ip address range”

    condition:

        uint16(0) == 0x5a4d and filesize < 500KB and filesize > 10KB and any of ($a*) or all of ($b*)

}

Acknowledge and Reference:

https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced