Skip to content

S0614 CostaBricks

CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.1

Item Value
ID S0614
Associated Names
Type MALWARE
Version 1.1
Created 24 May 2021
Last Modified 05 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information CostaBricks has the ability to use bytecode to decrypt embedded payloads.1
enterprise T1105 Ingress Tool Transfer CostaBricks has been used to load SombRAT onto a compromised host.1
enterprise T1106 Native API CostaBricks has used a number of API calls, including VirtualAlloc, VirtualFree, LoadLibraryA, GetProcAddress, and ExitProcess.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code.1
enterprise T1027.002 Software Packing CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.1
enterprise T1055 Process Injection CostaBricks can inject a payload into the memory of a compromised host.1

References