G0132 CostaRicto
CostaRicto is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. CostaRicto‘s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.1
Item | Value |
---|---|
ID | G0132 |
Associated Names | |
Version | 1.0 |
Created | 24 May 2021 |
Last Modified | 15 October 2021 |
Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
enterprise | T1046 | Network Service Discovery | CostaRicto employed nmap and pscan to scan target environments.1 |
enterprise | T1588 | Obtain Capabilities | - |
enterprise | T1588.002 | Tool | CostaRicto has obtained open source tools to use in their operations.1 |
enterprise | T1572 | Protocol Tunneling | CostaRicto has set up remote SSH tunneling into the victim’s environment from a malicious domain.1 |
enterprise | T1090 | Proxy | - |
enterprise | T1090.003 | Multi-hop Proxy | CostaRicto has used a layer of proxies to manage C2 communications.1 |
enterprise | T1053 | Scheduled Task/Job | - |
enterprise | T1053.005 | Scheduled Task | CostaRicto has used scheduled tasks to download backdoor tools.1 |