GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.^[1]^[2]^[3]^[4]

ID: G0115

ⓘ

Associated Groups: Pinchy Spider

Contributors: Thijn Bukkems, Amazon

Version: 2.0

Created: 22 September 2020

Last Modified: 28 March 2023

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
Pinchy Spider	^[4]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.^[5]
Enterprise	T1190		Exploit Public-Facing Application	GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.^[1]
Enterprise	T1133		External Remote Services	GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.^[1]
Enterprise	T1027	.010	Obfuscated Files or Information: Command Obfuscation	GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.^[5]
Enterprise	T1566		Phishing	GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.^[1]
Enterprise	T1219		Remote Access Software	GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.^[5]
Enterprise	T1113		Screen Capture	GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.^[5]
Enterprise	T1195	.002	Supply Chain Compromise: Compromise Software Supply Chain	GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.^[1]^[2]^[3]
Enterprise	T1199		Trusted Relationship	GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.^[1]

Software

ID	Name	References	Techniques
S0591	ConnectWise	^[6]^[5]	Command and Scripting Interpreter: PowerShell, Screen Capture, Video Capture
S0496	REvil	^[1]^[2]	Access Token Manipulation: Create Process with Token, Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Safe Mode Boot, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Inhibit System Recovery, Loss of Productivity and Revenue, Masquerading: Match Legitimate Name or Location, Masquerading, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Fileless Storage, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Process Injection, Query Registry, Remote Services, Scripting, Service Stop, Service Stop, Standard Application Layer Protocol, System Information Discovery, System Location Discovery: System Language Discovery, System Service Discovery, Theft of Operational Information, User Execution: Malicious File, User Execution, Windows Management Instrumentation

GOLD SOUTHFIELD

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References