{"description": "Enterprise techniques used by CostaRicto, ATT&CK campaign C0004 (v1.0)", "name": "CostaRicto (C0004)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "For [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors established domains, some of which appeared to spoof legitimate domains.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors collected data and files from compromised networks.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "For [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors used custom malware, including [PS1](https://attack.mitre.org/software/S0613), [CostaBricks](https://attack.mitre.org/software/S0614), and [SombRAT](https://attack.mitre.org/software/S0615).(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1133", "comment": "During [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors downloaded malware and tools onto a compromised host.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "During [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors employed nmap and pscan to scan target environments.(Citation: BlackBerry CostaRicto November 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors obtained open source tools to use in their operations.(Citation: BlackBerry CostaRicto November 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "During [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain.(Citation: BlackBerry CostaRicto November 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "During [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors used a layer of proxies to manage C2 communications.(Citation: BlackBerry CostaRicto November 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "During [CostaRicto](https://attack.mitre.org/campaigns/C0004), the threat actors used scheduled tasks to download backdoor tools.(Citation: BlackBerry CostaRicto November 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CostaRicto", "color": "#66b1ff"}]}