GOLD SOUTHFIELD
GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.[1][2][3]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1190 | Exploit Public-Facing Application |
GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.[1] |
|
Enterprise | T1133 | External Remote Services |
GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.[1] |
|
Enterprise | T1566 | Phishing |
GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[1] |
|
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.[1][2][3] |
Enterprise | T1199 | Trusted Relationship |
GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.[1] |