S0613 PS1
PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.1
| Item | Value |
|---|---|
| ID | S0613 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 24 May 2021 |
| Last Modified | 05 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | PS1 can utilize a PowerShell loader.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.1 |
| enterprise | T1105 | Ingress Tool Transfer | CostaBricks can download additional payloads onto a compromised host.1 |
| enterprise | T1027 | Obfuscated Files or Information | PS1 is distributed as a set of encrypted files and scripts.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | PS1 can inject its payload DLL Into memory.1 |