Skip to content

G0115 GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.1342

Item Value
ID G0115
Associated Names Pinchy Spider
Version 2.0
Created 22 September 2020
Last Modified 28 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Pinchy Spider 2

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.5
enterprise T1190 Exploit Public-Facing Application GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.1
enterprise T1133 External Remote Services GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.5
enterprise T1566 Phishing GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim’s machines.1
enterprise T1219 Remote Access Software GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool “ConnectWise Control” to deploy REvil.5
enterprise T1113 Screen Capture GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim’s machines.5
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.134
enterprise T1199 Trusted Relationship GOLD SOUTHFIELD has breached Managed Service Providers (MSP’s) to deliver malware to MSP customers.1

Software

ID Name References Techniques
S0591 ConnectWise 65 PowerShell:Command and Scripting Interpreter Screen Capture Video Capture
S0496 REvil 13 Token Impersonation/Theft:Access Token Manipulation Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data Destruction Data Encrypted for Impact Deobfuscate/Decode Files or Information Drive-by Compromise Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Safe Mode Boot:Impair Defenses Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Inhibit System Recovery Loss of Productivity and Revenue Match Legitimate Name or Location:Masquerading Masquerading Modify Registry Native API Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Domain Groups:Permission Groups Discovery Spearphishing Attachment:Phishing Process Injection Query Registry Remote Services Scripting Service Stop Service Stop Standard Application Layer Protocol System Information Discovery System Language Discovery:System Location Discovery System Service Discovery Theft of Operational Information Malicious File:User Execution User Execution Windows Management Instrumentation

References

  1. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. 

  2. Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023. 

  3. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  4. Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020. 

  5. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. 

  6. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.