BlackBerry’s safety staff has revealed particulars in the present day a few new hacker-for-hire mercenary group they found earlier this yr, and which they tied to assaults to victims all around the world.
The group, which BlackBerry named CostaRicto, is the fifth hacker-for-hire group found this yr after the likes of:
- BellTrox (aka Darkish Basin) [1, 2, 3]
- DeathStalker (aka Deceptikons) [1, 2]
- Bahamut [1, 2]
- Unnamed group 
CostaRicto’s discovery additionally involves retroactively affirm a Google report from Might, when the US tech large highlighted the increasing number of hacker-for-hire mercenary groups, and particularly these working out of India.
Nonetheless, whereas BellTrox has been linked to an Indian entity and Bahamut is suspected of working out of India as properly, particulars about CostaRicto’s present origins and whereabouts nonetheless stay unknown.
What’s at the moment identified is that the group has orchestrated assaults all around the globe throughout totally different international locations in Europe, the Americas, Asia, Australia, and Africa.
Nonetheless, BlackBerry says the most important focus of victims seems to be in South Asia, and particularly India, Bangladesh, and Singapore, suggesting that the risk actor might be primarily based within the area, “however engaged on a variety of commissions from various purchasers.”
As for the character of the targets, the BlackBerry Analysis and Intelligence Workforce said in a report today that “the victims’ profiles are various throughout a number of verticals, with a big portion being monetary establishments.”
Moreover, BlackBerry says that “the variety and geography of the victims would not match an image of a marketing campaign sponsored by a selected state” however means that they’re “a mixture of targets that might be defined by totally different assignments commissioned by disparate entities.”
CostaRicto group linked to new refined Sombra malware
BlackBerry additionally provides that whereas the group is utilizing custom-built and never-before-seen malware, they aren’t working utilizing any revolutionary methods.
Most of their assaults depend on stolen credentials or spear-phishing emails because the preliminary entry vector. These emails normally ship a backdoor trojan that BlackBerry has named Sombra or SombRAT.
The backdoor trojan permits CostaRicto operators to entry contaminated hosts, seek for delicate recordsdata, and exfiltrate necessary paperwork.
This information is normally despatched again to CostaRicto command-and-control infrastructure, which BlackBerry says it’s normally hosted on the darkish internet, and accessible solely by way of Tor.
Moreover, the contaminated hosts normally join these servers by way of a layer of proxies and SSH tunnels to cover the malicious visitors from the contaminated organizations.
All in all, BlackBerry says these practices “reveal better-than-average operation safety,” when in comparison with your common hacking teams.
All of the CostaRicto malware samples that BlackBerry found have been traced again to as early as October 2019, however different clues within the gang’s servers counsel the group might need been lively even earlier, way back to 2017.
Moreover, researchers mentioned in addition they found an overlap with previous campaigns from APT28, one in all Russia’s army hacking items, however BlackBerry believes the server overlap could have been unintentional.
Hacker-for-hire teams — the brand new panorama
For a few years, most hacking teams have operated as stand-alone teams, finishing up financially-motivated assaults, stealing information, and promoting for their very own revenue.
The general public exposures of BellTrox, DeathStalker, Bahamut, and CostaRicto this yr present a maturing hacker-for-hire scene, with increasingly teams renting their providers to a number of prospects with totally different agendas, as a substitute of working as lone wolfs.
The following step in investigating these teams might want to have a look at who their purchasers are. Are they non-public companies or international governments. Or are they each?