GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.[1][2][3]

ID: G0115
Contributors: Thijn Bukkems, Amazon
Version: 1.1
Created: 22 September 2020
Last Modified: 26 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.[4]

Enterprise T1190 Exploit Public-Facing Application

GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.[1]

Enterprise T1133 External Remote Services

GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.[1]

Enterprise T1027 Obfuscated Files or Information

GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.[4]

Enterprise T1566 Phishing

GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[1]

Enterprise T1219 Remote Access Software

GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.[4]

Enterprise T1113 Screen Capture

GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.[4]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.[1][2][3]

Enterprise T1199 Trusted Relationship

GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.[1]


ID Name References Techniques
S0591 ConnectWise [5][4] Command and Scripting Interpreter: PowerShell, Screen Capture, Video Capture
S0496 REvil [1][2] Access Token Manipulation: Create Process with Token, Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Safe Mode Boot, Indicator Removal: File Deletion, Ingress Tool Transfer, Inhibit System Recovery, Loss of Productivity and Revenue, Masquerading: Match Legitimate Name or Location, Masquerading, Modify Registry, Native API, Obfuscated Files or Information, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Process Injection, Query Registry, Remote Services, Scripting, Service Stop, Service Stop, Standard Application Layer Protocol, System Information Discovery, System Location Discovery: System Language Discovery, System Service Discovery, Theft of Operational Information, User Execution: Malicious File, User Execution, Windows Management Instrumentation