BlackBerry’s security team has come across a group of hackers offering their services for hire. The group calls itself CostaRicto and appears to be based in South Asia.
The group is responsible for a series of orchestrated attacks on every continent, although most attacks take place in India, Bangladesh and Singapore. Because of that. BlackBerry suspects that they are based in that region.
Based on the targets, BlackBerry thinks that the hackers are not allied to a specific state, but that the actions come from assignments from different entities.
According to BlackBerry, the group has developed its own malware, named after Overwatch character Sombra. The malware’s code is well-structured and has clear version control. Based on the version numbers, BlackBerry estimates that the group has been working on the software since October 2019, although the group has probably been active since 2017.
The attacks are largely dependent on stolen login information and targeted phishing actions. With the stolen data, the hackers manage to infect targets with the Sombra trojan. Sombra then scans the infected systems for sensitive data and sends it back to CostaRicto.
CostaRicto has a well-secured infrastructure and is only accessible via Tor. The infected systems route the stolen data through multiple proxies and SSH tunnels to prevent targeted organizations from detecting malicious network traffic. BlackBerry believes that with these measures, the group’s security is above average.
Tip: A spike in Emotet activity means the ransomware gang is not far behind