ATT&CK v18 has been released! Check out the blog post or changelog for more information.

CostaBricks

CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.^[1]

ID: S0614

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 24 May 2021

Last Modified: 16 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1140		Deobfuscate/Decode Files or Information	CostaBricks has the ability to use bytecode to decrypt embedded payloads.^[1]
Enterprise	T1105		Ingress Tool Transfer	CostaBricks has been used to load SombRAT onto a compromised host.^[1]
Enterprise	T1106		Native API	CostaBricks has used a number of API calls, including `VirtualAlloc`, `VirtualFree`, `LoadLibraryA`, `GetProcAddress`, and `ExitProcess`.^[1]
Enterprise	T1027	.001	Obfuscated Files or Information: Binary Padding	CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code.^[1]
		.002	Obfuscated Files or Information: Software Packing	CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.^[1]
Enterprise	T1055		Process Injection	CostaBricks can inject a payload into the memory of a compromised host.^[1]

Campaigns

ID	Name	Description
C0004	CostaRicto	During CostaRicto, threat actors used a custom VM-based payload loader named CostaBricks.^[1]

References

The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.