PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[1]

ID: S0613
Platforms: Windows
Version: 1.2
Created: 24 May 2021
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PS1 can utilize a PowerShell loader.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.[1]

Enterprise T1105 Ingress Tool Transfer

CostaBricks can download additional payloads onto a compromised host.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

PS1 is distributed as a set of encrypted files and scripts.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

PS1 can inject its payload DLL Into memory.[1]


ID Name Description
C0004 CostaRicto

During CostaRicto, threat actors used the 64-bit backdoor loader PS1.[1]