SombRAT

Posted: November 13, 2020

SombRAT Description

Hackers-for-hire groups have become a very profitable venture for cybercriminals who have the ability to penetrate the security of various networks around the world. Usually, these groups boast a well-developed arsenal of tools thanks to the fact that they can rely on the money of their clients. One of the recent groups believed to take part in such activity is called CostaRicto. Its campaigns have been monitored for over six months, but malware researchers believe that the CostaRicto APT (Advanced Persistent Threat) group has been operative for more than a year. Hackers-for-hire organizations are usually labeled as such because their operations appear to be spread all over the globe, and their targets rarely have any connection between them. This is usually a sign that they are not picking the targets themselves and, instead, they are working according to the instructions of the highest bidder.

This Hackers-For-Hire APT Group Uses the Custom-Built SombRAT

The SombRAT is one of the signature tools seen in CostaRicto's recent campaigns. The threat appears to be built using C++, and it features a modular structure. The primary payload is rather limited in terms of functionality, but its operators could extend its toolset easily by installing modules on-the-fly. Without add-ons, the SombRAT is able to gather basic system information or details, as well as to download and launch modules or other binaries.

The SombRAT can use either DNS tunneling or TCP to communicate with the control server. According to reports by antivirus vendors, the SombRAT supports over 50 unique commands, most of which are only available when a suitable module has been deployed. These commands are able to serve various purposes such as injecting DLLs into memory, managing processes/services, self-deletion, modifying the configuration, setting up a proxy and more.

Samples of SombRAT have been recovered from systems in Europe, Asia, Australia, and Africa, therefore proving the wide scope of the CostaRicto APT. So far, it has been impossible to guess the origin of the criminals since hacker-for-hire groups are usually very careful not to reveal absolutely any details about their likely whereabouts.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to SombRAT may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.