PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[1]

ID: S0613
Associated Software: PS1
Platforms: Windows
Version: 1.0
Created: 24 May 2021
Last Modified: 15 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PS1 can utilize a PowerShell loader.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.[1]

Enterprise T1027 Obfuscated Files or Information

PS1 is distributed as a set of encrypted files and scripts.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

PS1 can inject its payload DLL Into memory.[1]

Groups That Use This Software

ID Name References
G0132 CostaRicto