Threat Alert – ‘CostaRicto’ Hack-for-Hire Mercenary Group : Targets Global Businesses
by CIRT Team
A hackers-for-hire operation has been discovered using a strain of previously undocumented malware to target South Asian financial institutions and global entertainment companies.
The BlackBerry Research and Intelligence team have been monitoring a cyber-espionage campaign that is targeting disparate victims around the globe. The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities.
Targeting
Their targets are located in numerous countries across the globe with just a slight concentration in the South-Asian region:
India
Bangladesh
Singapore
China
U.S.
Bahamas
Australia
Mozambique
France
Netherlands
Austria
Portugal
Czechia
The victims’ profiles are diverse across several verticals, with a large portion being financial institutions.
Delivery
After gaining access to the victim’s environment (presumably by using stolen credentials, either obtained via phishing, or bought on the dark web), the attacker sets up remote tunnelling using a SSH tool. The tool is configured to redirect traffic from a malicious domain to a proxy that is listening on a local port. The tunnel is authenticated using the attacker’s private key.
In order to pull down the backdoor, a payload stager, either HTTP or reverse-DNS, is executed with the use of a scheduled task.
The backdoor comes either wrapped up in a PowerSploit reflective loader, or in the form of a custom-built dropper that uses a simple virtual machine (VM) mechanism to decode and inject the payload.
In addition to managing command-and-control (C2) servers via DNS tunneling, the backdoor is a C++ compiled executable called SombRAT.
It can also perform other simple actions, like collecting system information, listing and killing processes, and uploading files to the C2.
Indicators of Compromise (IoCs):
Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
| Indicator | Type | Description |
| 130fa726df5a58e9334cc28dc62e3ebaa0b7c0d637fce1a66daff66ee05a9437 | SHA256 | SombRAT x86 loader |
| 8062e1582525534b9c52c5d9a38d6b012746484a2714a14febe2d07af02c32d5 | SHA256 | SombRAT x86 loader |
| d69764b22d1b68aa9462f1f5f0bf18caebbcff4d592083f80dbce39c64890295 | SHA256 | SombRAT x86 loader |
| f6ecdae3ae4769aaafc8a0faab30cb66dab8c9d3fff27764ff208be7a455125c | SHA256 | SombRAT x86 loader |
| 561bf3f3db67996ce81d98f1df91bfa28fb5fc8472ed64606ef8427a97fd8cdd | SHA256 | SombRAT x86 payload (memory dump) |
| 8323094c43fcd2da44f60b46f043f7ca4ad6a2106b6561598e94008ece46168b | SHA256 | SombRAT x86 payload |
| ee0f4afee2940bbe895c1f1f60b8967291a2662ac9dca9f07d9edf400d34b58a | SHA256 | SombRAT x86 payload (UPX) |
| ee0f4afee2940bbe895c1f1f60b8967291a2662ac9dca9f07d9edf400d34b58a | ||
| 70d63029c65c21c4681779e1968b88dc6923f92408fe5c7e9ca6cb86d7ba713a | SHA256 | SombRAT encoded payload (x64) |
| 79009ee869cec789a3d2735e0a81a546b33e320ee6ae950ba236a9f417ebf763 | SHA256 | SombRAT decoded payload (x64) |
| d8189ebdec637fc83276654635343fb422672fc5e3e2818df211fb7c878a3155 | SHA256 | Payload stager |
| fa74f70baa15561c28c793b189102149d3fb4f24147adc5efbd8656221c0960b | SHA256 | GO-socks5 proxy |
| c0db3dadf2e270240bb5cad8a652e5e11e3afe41b8ee106d67d47b06f5163261 | SHA256 | Pcheck proxy |
| 6df8271ae0380737734b2dd6d46d0db3a30ba35d7379710a9fb05d1510495b49 | SHA256 | Pcheck proxy |
| 7424d6daab8407e85285709dd27b8cce7c633d3d4a39050883ad9d82b85198bf | SHA256 | Pscan port scanner |
| svolcdst.exe | Filename | SombRAT loader |
| tunnusvcen.exe | Filename | SombRAT loader |
| C:\Projects\Sombra\_Bin\x64\Release\Sombra.pdb | PDB path | SombRAT x64 |
| C:\Wokrflow\CostaRicto\Release\CostaBricks.pdb | PDB path | SombRAT loader |
| %HOSTNAME%UI724 | Mutex | Run-once mutex |
| %HOSTNAME%SUI724 | Mutex | Run-once mutex |
| sbibd[.]net | Domain | SombRAT C2 |
| infosportals[.]com | Domain | SombRAT C2 |
| akams[.]in | Domain | SombRAT C2 |
| newspointview[.]com | Domain | SombRAT C2 |
| 159.65.31.84 | IP | SombRAT hosting place |
| 212.83.61.227 | IP | sbibd[.]net |
| 144.217.53.146 | IP | sbibd[.]net, akams[.]in, infosportals[.]com |
| 45.89.175.206 | IP | akams[.]in |
| 45.138.172.54 | IP | newspointview[.]com |
| 212.114.52.98 | IP | infosportals[.]com |
Yara Rules:
import “pe”
import “hash”
rule costaricto_vm_dropper
{
meta:
description = “Rule to detect SombRAT loader by code similarity”
author = “BlackBerry Threat Hunting and Intelligence Team”
strings:
// vm class name
$classname = “VMBASERUNNER” ascii wide nocase
// start of vm bytecode
$vmbytecode = {37C7359438C73594}
// start of encrypted payload
$encpayload_1 = {77D2C7AC59B2EB0DF37028AC950971FB}
// binary string from enc payload (some payloads differ only in the header)
$encpayload_2 = {06359D29C83125C321C201CF9AE7D1626B8F4281C33617EECE86BD106C628FE593936F00C2C
68E28843BE5374F876840FCD1BFD014D5DEFF4BA8EB6A5FFFB24F932138B04C1BE6D5BD8BB572B8116799AE1C8F0
D5DB774ABA4884B9E706981FC3740B4CD891F8A0EA6900D41B675CFC98A}
// vm execution loop
$vmcode_1 = {8B ?? 08 8B ?? 0C 89 ?? 29 ?? C1 ?? 02 39 ?? 74 4E 83 ?? ?? 08 8D ?? ?? 8B ?? ?? 8D ?? 01 89 ?? 8B ?? ?? 66 83 ?? 08 00 75 28 8B ?? ?? 8D ?? 04 5? 5? E8 ?? ?? FF FF 8B ?? ?? 83 ?? 0C 5? 8B ?? 0C 89 ?? 5? FF ?? 14 83 C4 08 8B ?? 8B ?? 08 8B ?? 0C 89 ?? 29 ?? C1 ?? 02 39 ?? 89 ?? 75 B9}
// vm execution loop (sample from Nov 2019)
$vmcode_2 = {8B ?? 4? 89 ?? 8B ?? 08 8B ?? 88 33 ?? 66 39 ?? 08 75 19 8D ?? 04 5? 8D ?? 08 E8 ?? ?? 00 00 8B ?? 8D ?? 0C 5? 5? FF ?? 5? 5? 8B ?? 8B ?? 0C 2B ?? 08 C1 ?? 02 3B ?? 75 C7}
condition:
uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and any of them
}
rule costaricto_vm_dropper_pdb_path
{
meta:
description = “Rule to detect samples with CostaRicto PDB path”
author = “BlackBerry Threat Hunting and Intelligence Team”
pdb_string = “C:\\Wokrflow\\CostaRicto\\Release\\CostaBricks.pdb”
strings:
$a = “CostaRicto” ascii wide nocase
$b = “CostaBricks.pdb” ascii wide nocase
$c1 = “C:\\Wokrflow\\” ascii wide nocase
$c2 = “Release” ascii wide nocase
$c3 = “.pdb” ascii wide nocase
condition:
uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and ($a or $b or all of ($c*))
}
rule costaricto_sobmrat_pdb_path
{
meta:
description = “Rule to detect samples with SombRAT PDB path”
author = “BlackBerry Threat Hunting and Intelligence Team”
pdb_string = “C:\\Projects\\Sombra\\_Bin\\x64\\Release\\Sombra.pdb”
pdb_string_2 = “c:\\projects\\sombra\\libraries”
strings:
$a = “\\Projects\\Sombra\\” ascii wide nocase
$b = “Sombra.pdb” ascii wide nocase
condition:
uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and ($a or $b)
}
rule costaricto_backdoored_blink
{
meta:
description = “Rule to detect backdoored Blink application”
author = “BlackBerry Threat Hunting and Intelligence Team”
strings:
$a1 = “Failed to open target application process!”
$a2 = “Machine architecture mismatch between target application and this application!”
$a3 = “Failed to create new communication pipe!”
$b = “Plauger, licensed by Dinkumware, Ltd.”
condition:
uint16(0) == 0x5a4d and filesize < 5MB and filesize > 50KB and ($b and 1 of ($a*))
}
rule costaricto_rich_header
{
meta:
description = “Rule to detect Rich header associated with CostaRicto campaign”
author = “BlackBerry Threat Hunting and Intelligence Team”
condition:
pe.rich_signature.toolid(0xf1, 40116) and
pe.rich_signature.toolid(0xf3, 40116) and
pe.rich_signature.toolid(0xf2, 40116) and
pe.rich_signature.toolid(0x105, 26706) and
pe.rich_signature.toolid(0x104, 26706) and
pe.rich_signature.toolid(0x103, 26706) and
pe.rich_signature.toolid(0x93, 30729) and
pe.rich_signature.toolid(0x109, 27023) and
pe.rich_signature.toolid(0xff, 27023) and
pe.rich_signature.toolid(0x97, 0) and
pe.rich_signature.toolid(0x102, 27023)
}
rule costaricto_rich_header_august
{
meta:
description = “Rule to detect Rich header associated with CostaRicto campaign”
author = “BlackBerry Threat Hunting and Intelligence Team”
condition:
pe.rich_signature.toolid(0xf1, 40116) and
pe.rich_signature.toolid(0xf2, 40116) and
pe.rich_signature.toolid(0xf3, 40116) and
pe.rich_signature.toolid(0x102, 26428) and
pe.rich_signature.toolid(0x103, 26131) and
pe.rich_signature.toolid(0x104, 26131) and
pe.rich_signature.toolid(0x105, 26131) and
pe.rich_signature.toolid(0x103, 26433) and
pe.rich_signature.toolid(0x104, 26433) and
pe.rich_signature.toolid(0x109, 26428) and
pe.rich_signature.toolid(0x93, 30729) and
pe.rich_signature.toolid(0xff, 26428)
}
rule costaricto_rich_xor_key
{
meta:
description = “Rule to detect Rich header associated with CostaRicto campaign”
author = “BlackBerry Threat Hunting and Intelligence Team”
condition:
// x86 droppers
pe.rich_signature.key == 0x2e8d923f or
pe.rich_signature.key == 0x97d94c45 or
// x86 payload
pe.rich_signature.key == 0xef257087 or
pe.rich_signature.key == 0x4f257087 or
pe.rich_signature.key == 0x1e816e7e or
// x64 payload
pe.rich_signature.key == 0xd1e5ae6c or
pe.rich_signature.key == 0x5df9c60b
}
rule costaricto_sombrat_unpacked
{
meta:
description = “Rule to detect unpacked SombRAT backdoor”
author = “BlackBerry Threat Hunting and Intelligence Team”
strings:
// class names
$a1 = “PEHeadersBackup”
$a2 = “PeLoaderDummy”
$a3 = “PeLoaderLocal”
$a4 = “PeLoaderBaseClass”
$a5 = “PDTaskman”
$a6 = “PDMessageParamArray”
$a7 = “NetworkDriverLayerWebsockets”
$a8 = “NetworkDriverLayerDNSReader”
$a9 = “WaitForPluginIOCPFullyClosed”
// substitution-encrypted strings
$b1 = “~ydcv{{rs{~|r” // installedlike
$b2 = “~yg{vcqxez” // winplatform
$b3 = “~yqxezvc~xyvttrgcrs” // informationaccepted
$b4 = “xvsqexzdcxevpr” // loadfromstorage
$b5 = “xvsqexzzrzxen” // loadfrommemory
$b7 = “xgrydcxevpr” // openstorage
$b8 = “g{bp~y{xvstxzg{rcr” // pluginloadcomplete
$b9 = “g{bp~yby{xvs” // pluginunload
// AES-encrypted strings
$c1 = {44 5B 7F 52 0C 13 52 1A 16 45 4C 75 65 72 60 53}
// RSA public key
$d1 = {EF C9 77 B9 A3 8E 48 92 77 C8 E1 E1 0C 46 35 2B}
condition:
uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and any of them
}
rule costaricto_pcheck_proxy
{
meta:
description = “Rule to detect a custom proxy tool related to the CostaRicto campaign”
author = “BlackBerry Threat Hunting and Intelligence Team”
strings:
$a = “exe.exe host host_port proxy_host proxy_port”
$b = “Tool jobs done”
condition:
uint16(0) == 0x5a4d and filesize < 500KB and filesize > 10KB and ($a or $b)
}
rule costaricto_pscan_port_scanner
{
meta:
description = “Rule to detect a custom proxy tool related to the CostaRicto campaign”
author = “BlackBerry Threat Hunting and Intelligence Team”
strings:
$a1 = “Invalid arguments count (ver “
$a2 = “Example: ./pscan”
$a3 = “127-130.0.0.1”
$b1 = “[output.txt]”
$b2 = “Invalid ip address range”
condition:
uint16(0) == 0x5a4d and filesize < 500KB and filesize > 10KB and any of ($a*) or all of ($b*)
}
Acknowledge and Reference:
https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced
Recommended Posts
Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh
06 Nov 2024 - Security Advisories & Alerts
Subscribe here
MEMBER OF:
