Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. GOLD SOUTHFIELD

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.[1][2][3]

ID: G0115
Version: 1.0
Created: 22 September 2020
Last Modified: 06 October 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1190 Exploit Public-Facing Application

GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.[1]
Enterprise T1133 External Remote Services

GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.[1]

Enterprise T1566 Phishing

GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[1]
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.[1][2][3]
Enterprise T1199 Trusted Relationship

GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.[1]

Software

ID Name References Techniques
S0496 REvil [1][2] Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Process Injection, Query Registry, Service Stop, System Information Discovery, System Service Discovery, User Execution: Malicious File, Windows Management Instrumentation

References

  1. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  2. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  1. Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.