1. Home
  2. Groups
  3. GOLD SOUTHFIELD

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[1][2][3][4]

ID: G0115
Associated Groups: Pinchy Spider
Contributors: Thijn Bukkems, Amazon
Version: 2.0
Created: 22 September 2020
Last Modified: 28 March 2023
Version Permalink

Associated Group Descriptions

Name Description
Pinchy Spider

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.[5]
Enterprise T1190 Exploit Public-Facing Application

GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.[1]
Enterprise T1133 External Remote Services

GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.[1]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.[5]
Enterprise T1566 Phishing

GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[1]
Enterprise T1219 Remote Access Software

GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.[5]
Enterprise T1113 Screen Capture

GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.[5]
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.[1][2][3]
Enterprise T1199 Trusted Relationship

GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.[1]

Software

ID Name References Techniques
S0591 ConnectWise [6][5] Command and Scripting Interpreter: PowerShell, Screen Capture, Video Capture
S0496 REvil [1][2] Access Token Manipulation: Create Process with Token, Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Execution Guardrails: Mutual Exclusion, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Safe Mode Boot, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Inhibit System Recovery, Loss of Productivity and Revenue, Masquerading: Match Legitimate Name or Location, Masquerading, Modify Registry, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Fileless Storage, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Process Injection, Query Registry, Remote Services, Scripting, Service Stop, Service Stop, Standard Application Layer Protocol, System Information Discovery, System Location Discovery: System Language Discovery, System Service Discovery, Theft of Operational Information, User Execution: Malicious File, User Execution, Windows Management Instrumentation

References

  1. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  2. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  3. Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.
  1. Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.
  2. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  3. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.