S0614: CostaBricks
CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[1]
Analyst context for executives and security teams
CostaBricks matters because it is described as a Windows loader used to deploy 32-bit backdoors in the CostaRicto campaign. For leaders, the risk is less the loader name itself and more whether the organization can reliably spot and contain stealthy loader behavior before it becomes persistent backdoor access.
Executive priority
Prioritize validation of endpoint visibility and incident response playbooks for Windows malware loaders, especially where espionage risk or regulated financial/business data is material. Because ATT&CK provides no official detection text for CostaBricks, evidence of coverage should come from tested telemetry for packing, padding, process injection, file transfer, native API execution, and deobfuscation behaviors rather than from hash-based controls alone.
Technical view
SOC and IR teams should treat CostaBricks as a Windows loader associated with CostaRicto and map detections to its related behaviors: Binary Padding, Software Packing, Process Injection, Ingress Tool Transfer, Native API, and Deobfuscate/Decode Files or Information. Validate whether EDR and malware-analysis workflows can identify suspicious 32-bit executable behavior, packed or padded binaries, memory injection patterns, unusual API usage, and newly introduced tools or payloads. Triage should correlate file characteristics, process lineage, memory events, and network/file-transfer evidence rather than relying on static signatures only.
Likely telemetry
- Windows endpoint process creation and parent/child process lineage
- EDR memory and process-injection events
- Executable file metadata, size anomalies, entropy, packing indicators, and hash history
- File creation/modification events for newly introduced tools or payloads
- Network connection and file-transfer logs associated with suspicious payload staging
Detection direction
- Confirm whether controls handle large, padded, or packed binaries that may evade hash-only or static signature approaches.
- Tune detections for suspicious process injection with attention to legitimate software that may also inject into processes.
- Correlate suspicious file transfer or payload staging with subsequent execution and memory behavior.
- Look for deobfuscation or decoding activity as part of execution chains, but avoid over-alerting on legitimate administrative or software-installation activity without context.
- Use the CostaRicto campaign relationship as threat-intelligence context, not as proof of attribution in local incidents.
Mitigation priorities
- Maintain strong Windows endpoint protection and logging coverage for execution, memory, and file events.
- Reduce reliance on hash-based blocking alone; include behavioral and reputation-based controls where available.
- Harden application control and software execution policies for untrusted binaries, especially 32-bit executables where relevant to the environment.
- Ensure incident response procedures include rapid collection of suspicious binaries, memory evidence, process trees, and network/file-transfer context.
- Use threat-informed testing to verify that packing, padding, injection, and loader-to-backdoor deployment patterns generate usable alerts and investigation evidence.
Analyst notes and limits
The supplied ATT&CK object identifies CostaBricks as a loader used to deploy 32-bit backdoors in the CostaRicto campaign and links it to several stealth, execution, command-and-control, and privilege-escalation-related techniques. The most defensible security value is to validate behavioral coverage for loader tradecraft on Windows, especially where espionage-oriented campaigns would create business or regulatory concern.
MITRE provides no official detection guidance for CostaBricks, no aliases, no malware labels, and no object-level tactics. The assessment is limited to the official description, external references, platform field, and supplied relationship context. Local telemetry, samples, and environment-specific baselines are required to determine actual exposure or detection coverage.
CostaBricks
CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | CostaBricks has been used to load SombRAT onto a compromised host.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1055 | Process Injection | CostaBricks can inject a payload into the memory of a compromised host.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1106 | Native API | CostaBricks has used a number of API calls, including `VirtualAlloc`, `VirtualFree`, `LoadLibraryA`, `GetProcAddress`, and `ExitProcess`.CitationBlackBerry CostaRicto November 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | CostaBricks has the ability to use bytecode to decrypt embedded payloads.CitationBlackBerry CostaRicto November 2020 |
Groups, software, and campaigns
C0004: CostaRicto
CostaRicto was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. CostaRicto actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a398e6df1d75… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BlackBerry CostaRicto November 2020
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
Open source URL -
[2]
mitre-attack S0614Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.