PS1
PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[1]
ID: S0613
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.2
Created: 24 May 2021
Last Modified: 11 April 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
PS1 is distributed as a set of encrypted files and scripts.[1] |
| Enterprise | T1105 | 输入工具传输 |
CostaBricks can download additional payloads onto a compromised host.[1] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection | |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0004 | CostaRicto |
During CostaRicto, threat actors used the 64-bit backdoor loader PS1.[1] |