PS1 - S0613 (13183cdf-280b-46be-913a-5c6df47831e7)

PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.(Citation: BlackBerry CostaRicto November 2020)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	PS1 - S0613 (13183cdf-280b-46be-913a-5c6df47831e7)	Malware	1
PS1 - S0613 (13183cdf-280b-46be-913a-5c6df47831e7)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	PS1 - S0613 (13183cdf-280b-46be-913a-5c6df47831e7)	Malware	1
PS1 - S0613 (13183cdf-280b-46be-913a-5c6df47831e7)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	PS1 - S0613 (13183cdf-280b-46be-913a-5c6df47831e7)	Malware	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2