CostaRicto, Campaign C0004 | MITRE ATT&CK®

CostaRicto

CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[1]

ID: C0004
First Seen:  October 2019 [1]
Last Seen:  November 2020 [1]
Version: 1.0
Created: 15 September 2022
Last Modified: 05 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

For CostaRicto, the threat actors established domains, some of which appeared to spoof legitimate domains.[1]

Enterprise T1005 Data from Local System

During CostaRicto, the threat actors collected data and files from compromised networks.[1]

Enterprise T1587 .001 Develop Capabilities: Malware

For CostaRicto, the threat actors used custom malware, including PS1, CostaBricks, and SombRAT.[1]

Enterprise T1133 External Remote Services

During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment.[1]

Enterprise T1105 Ingress Tool Transfer

During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.[1]

Enterprise T1046 Network Service Discovery

During CostaRicto, the threat actors employed nmap and pscan to scan target environments.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

During CostaRicto, the threat actors obtained open source tools to use in their operations.[1]

Enterprise T1572 Protocol Tunneling

During CostaRicto, the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

During CostaRicto, the threat actors used a layer of proxies to manage C2 communications.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

During CostaRicto, the threat actors used scheduled tasks to download backdoor tools.[1]

Software

ID Name Description
S0614 CostaBricks

During CostaRicto, threat actors used a custom VM-based payload loader named CostaBricks.[1]

S0194 PowerSploit

During CostaRicto, threat actors used PowerSploit's Invoke-ReflectivePEInjection module.[1]

S0613 PS1

During CostaRicto, threat actors used the 64-bit backdoor loader PS1.[1]

S0029 PsExec

During CostaRicto, threat actors used PsExec.[1]

S0615 SombRAT

During CostaRicto, threat actors used SombRAT in conjuction with CostaBricks and PowerSploit.[1]

S0183 Tor

During CostaRicto, threat actors used C2 servers managed through Tor.[1]

References