Cyber-Mercenaries Sell Espionage Campaigns

Written by

Ransomware-as-a-Service (RaaS), dedicated phishing campaigns, and digital espionage can be bought on the cyber-criminal underground, according to new research by BlackBerry.

In a report published today, BlackBerry's Research and Intelligence team reveals the illegal activities of a cyber-espionage campaign they have been tracking for six months. 

The campaign, dubbed CostaRicto by researchers, is seemingly operated by a group of APT mercenaries called “hackers-for-hire” who operate bespoke malware tooling and complex VPN proxy and SSH tunneling capabilities.

Key findings of the report are that CostaRicto targets can be found the world over: in Europe, the Americas, Asia, Australia, and Africa. However, the majority of targets are concentrated in South Asia, particularly in India, Bangladesh, and Singapore.

Researchers say this data could suggest that the threat actor behind the campaign is based in that region but selling their illegal services on an international black market to the highest bidders. 

The command-and-control (C2) servers utilized by CostaRicto are managed via Tor and/or through a layer of proxies. The attacker practices "better-than-average operation security," creating a complex network of SSH tunnels established in the victim’s environment. 

A strain of malware that hasn't been seen before is used to create a backdoor in the victim's network. Researchers described the malware as "a custom-built tool with a suggestive project name, well-structured code, and detailed versioning system." 

Whoever created the backdoor project named it Sombra, a reference to a character in the video game Overwatch who specializes in intelligence assessment and espionage and is known for their hacking abilities. 

The malware appears to have been rolled out in October 2019, but version numbers suggest that the project is still in the debug testing phase. Researchers found indications that the operation may have been around even longer.

"The timestamps of payload stagers go back to 2017, which might suggest the operation itself has been going on for a while, but used to deliver a different payload," said researchers.

An IP address to which the backdoor domains were registered overlaps with a pre-existing phishing campaign attributed to APT28. However, researchers believe it most unlikely that a direct link exists between CostaRicto and that particular advanced persistent threat group.

What’s hot on Infosecurity Magazine?