Researchers at Blackberry have identified a new global campaign that the company believes shows the hallmarks of an as-a-service attack campaign: it uses a mixture of complex, bespoke malware and inconsistent, yet deliberate, choices of targets.
"We're hoping by publishing, the community can help us pick up the breadcrumbs," said Tom Bonner, distinguished threat researcher at Blackberry. "We're not sure what the endgames are."
CostaRicto, a name Blackberry derived from a project title in the malware, has attacked countries in every continent, save South America and Antartica. While, the full array of industries involved in the attacks are being kept secret for client protection reasons, Bonner says they've hit targets ranging from banking to retail. Based on targeting alone, it might seem like a traditional crime operation. State groups tend to focus on specific industries, locations and targets of particular value.
But, said Eric Milam, vice president of research operations, it doesn't seem like crime is the end goal.
"Everything put in place is for secure communications and data transfer," he said. "They had access long enough that if they were going to deploy ransomware, they would have deployed ransomware. If the goal was money, they would have done something that'd earn money by now."
The two-stage malware used by CostaRicto is unusually complex for a smash-and-grab criminal operation. The group developed its own virtual machine to run its own bytecode. The malware is fileless. There is not a lot of off the shelf tooling.
"It looks like exfiltrating data is the point, but we're looking at some of the clients they've attacked and thinking, 'really?'" said Bonner.
Milam agreed: "One of the clients, from a vertical we did not include in the report, seems like a vertical that would be ransomed quickly."
One notable tidbit from the code giving some limited insight into its creators was the remote access trojan, "SombRAT," which appears to be a reference to the Overwatch video game character Sombra. That does not limit the scope of the attacker; Russian intelligence famously coopted a name for Dune.
CostaRicto hardcoded several spoofed domains into its malware, including one for sbibd[.]net, which may be a reference to the State Bank of India, Bangladesh. Aspects of its infrastructure appeared to share an IP address with a website used by APT 28, but that may be a result of a poorly run webhosting company rather than connection to the group.
For defenders, Bonner said, the message is simple and "boring": use the same good hygiene you'd use to protect against any attack, update all the security products and incorporate the Yara rules.
For researchers, he said, start picking up those breadcrumbs. "We could have done six months more of research on this. We thought it would be best to get this out quickly."