CostaRicto

CostaRicto is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. CostaRicto's targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.[1]

ID: G0132
Version: 1.0
Created: 24 May 2021
Last Modified: 15 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1046 Network Service Discovery

CostaRicto employed nmap and pscan to scan target environments.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

CostaRicto has obtained open source tools to use in their operations.[1]

Enterprise T1572 Protocol Tunneling

CostaRicto has set up remote SSH tunneling into the victim's environment from a malicious domain.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

CostaRicto has used a layer of proxies to manage C2 communications.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

CostaRicto has used scheduled tasks to download backdoor tools.[1]

Software

ID Name References Techniques
S0614 CostaBricks [1] Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Binary Padding
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0613 PS1 [1] Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0615 SombRAT [1] Application Layer Protocol: DNS, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Encrypted Channel: Asymmetric Cryptography, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, System Information Discovery, System Owner/User Discovery, System Service Discovery, System Time Discovery
S0183 Tor [1] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy

References