Skip to content

C0004 CostaRicto

CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.1

Item Value
ID C0004
Associated Names
First Seen October 2019
Last Seen November 2020
Version 1.0
Created 15 September 2022
Last Modified 05 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains For CostaRicto, the threat actors established domains, some of which appeared to spoof legitimate domains.1
enterprise T1005 Data from Local System During CostaRicto, the threat actors collected data and files from compromised networks.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware For CostaRicto, the threat actors used custom malware, including PS1, CostaBricks, and SombRAT.1
enterprise T1133 External Remote Services During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment.1
enterprise T1105 Ingress Tool Transfer During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.1
enterprise T1046 Network Service Discovery During CostaRicto, the threat actors employed nmap and pscan to scan target environments.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool During CostaRicto, the threat actors obtained open source tools to use in their operations.1
enterprise T1572 Protocol Tunneling During CostaRicto, the threat actors set up remote SSH tunneling into the victim’s environment from a malicious domain.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy During CostaRicto, the threat actors used a layer of proxies to manage C2 communications.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task During CostaRicto, the threat actors used scheduled tasks to download backdoor tools.1

Software

ID Name Description
S0614 CostaBricks During CostaRicto, threat actors used a custom VM-based payload loader named CostaBricks.1

References

  1. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.