1. Home
  2. Software
  3. PS1

PS1

PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[1]

ID: S0613
Associated Software: PS1
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 24 May 2021
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

PS1 can utilize a PowerShell loader.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.[1]
Enterprise T1027 Obfuscated Files or Information

PS1 is distributed as a set of encrypted files and scripts.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

PS1 can inject its payload DLL Into memory.[1]

Groups That Use This Software

ID Name References
G0132 CostaRicto

[1]

References

  1. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.