ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool CostaBricks

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: CostaBricks

NamesCostaBricks
CategoryMalware
TypeLoader
Description(BlackBerry) The loader used with 32-bit backdoors is more technically compelling. It implements a simple custom-built virtual machine mechanism that will execute an embedded bytecode to decode and inject the payload into memory.
This attempt at obfuscation, although not new, is rather uncommon in relation to targeted attacks. Code virtualization has been most prevalent in commercial software protectors which use much more advanced solutions; simpler virtual machines are sometimes also featured in off-the-shelf malicious packers used by widespread financial crimeware. This particular implementation, however, is unique (there are just a handful of samples in the public domain) and seems to be used only with SombRAT payloads – which makes us believe it is a custom-built tool that is private to the attackers.
Information<https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced>

Last change to this tool card: 05 January 2021

Download this tool card in JSON format

All groups using tool CostaBricks

ChangedNameCountryObserved

APT groups

 CostaRicto[Unknown]2017 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key