1. Home
  2. Groups
  3. GOLD SOUTHFIELD

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.[1][2][3]

ID: G0115
Contributors: Thijn Bukkems, Amazon
Version: 1.1
Created: 22 September 2020
Last Modified: 26 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.[4]
Enterprise T1190 Exploit Public-Facing Application

GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.[1]
Enterprise T1133 External Remote Services

GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.[1]

Enterprise T1027 Obfuscated Files or Information

GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.[4]
Enterprise T1566 Phishing

GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[1]
Enterprise T1219 Remote Access Software

GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.[4]
Enterprise T1113 Screen Capture

GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.[4]
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.[1][2][3]
Enterprise T1199 Trusted Relationship

GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.[1]

Software

ID Name References Techniques
S0591 ConnectWise [5][4] Command and Scripting Interpreter: PowerShell, Screen Capture, Video Capture
S0496 REvil [1][2] Access Token Manipulation: Create Process with Token, Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Safe Mode Boot, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Process Injection, Query Registry, Service Stop, System Information Discovery, System Location Discovery: System Language Discovery, System Service Discovery, User Execution: Malicious File, Windows Management Instrumentation

References

  1. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  2. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  3. Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.
  1. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  2. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.