Skip to content

G0132 CostaRicto

CostaRicto is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. CostaRicto‘s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.1

Item Value
ID G0132
Associated Names
Version 1.0
Created 24 May 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1046 Network Service Discovery CostaRicto employed nmap and pscan to scan target environments.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool CostaRicto has obtained open source tools to use in their operations.1
enterprise T1572 Protocol Tunneling CostaRicto has set up remote SSH tunneling into the victim’s environment from a malicious domain.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy CostaRicto has used a layer of proxies to manage C2 communications.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task CostaRicto has used scheduled tasks to download backdoor tools.1


ID Name References Techniques
S0614 CostaBricks - Deobfuscate/Decode Files or Information Ingress Tool Transfer Software Packing:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information
S0194 PowerSploit - Access Token Manipulation Local Account:Account Discovery Audio Capture Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Path Interception Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0613 PS1 - PowerShell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Obfuscated Files or Information Dynamic-link Library Injection:Process Injection
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0615 SombRAT - DNS:Application Layer Protocol Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Asymmetric Cryptography:Encrypted Channel File and Directory Discovery Process Argument Spoofing:Hide Artifacts File Deletion:Indicator Removal on Host Ingress Tool Transfer Masquerading Native API Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Proxy System Information Discovery System Owner/User Discovery System Service Discovery System Time Discovery
S0183 Tor - Asymmetric Cryptography:Encrypted Channel Multi-hop Proxy:Proxy


Back to top