Skip to content

S0613 PS1

PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.1

Item Value
ID S0613
Associated Names
Type MALWARE
Version 1.1
Created 24 May 2021
Last Modified 05 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PS1 can utilize a PowerShell loader.1
enterprise T1140 Deobfuscate/Decode Files or Information PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.1
enterprise T1105 Ingress Tool Transfer CostaBricks can download additional payloads onto a compromised host.1
enterprise T1027 Obfuscated Files or Information PS1 is distributed as a set of encrypted files and scripts.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection PS1 can inject its payload DLL Into memory.1

References