CostaBricks

CostaBricks is a Trojan loader that works in a very peculiar way. Cybersecurity experts believe that the CostaBricks Trojan is being used by an Advanced Persistent Threat (APT) group known as CostaRicto exclusively. The criminals are believed to work for the highest bidders, and they belong to the category known as 'hackers-for-hire.' The CostaBricks is by no means a simple project, and its complex nature is proof that the CostaRicto APT members are not just skilled and experienced, but they also have the funding required to polish their threatening software.

The trick that the CostaBricks Loader uses to load corrupted code is not entirely new, but it is usually executed with commercial software packers' help. Instead of relying on public tools, the CostaRicto APT hackers have opted to write a 'code virtualization' method that fits their particular needs and payloads. So far, the CostaBricks Loader has only been used with the SombRAT, and it was only identified on 32-bit systems.

Advanced Trojan Loader Used to Deploy the SombRAT

The 'code virtualization' method that the CostaBricks Loader uses helps it bypass automatic security tools. The loader also seems to feature plenty of junk code and the code of an unpopular open-source application. Neither of these pieces is used actively during the attack, so their likely purpose is to confuse anti-malware tools.

The CostaRicto APT hackers appear to be monitoring and updating their toolset regularly, which shows that they are keeping a close eye on their campaigns. The CostaBricks Loader fits a very specific niche, and it is certain that the CostaRicto hackers are the sole users and developers of this implant.