GOLD SOUTHFIELD
Associated Group Descriptions |
|
Name | Description |
---|---|
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020) |
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD) |
Software |
|||
ID | Name | References | Techniques |
---|---|---|---|
S0591 | ConnectWise | (Citation: Anomali Static Kitten February 2021) (Citation: ScreenConnect) (Citation: Tetra Defense Sodinokibi March 2020) (Citation: Trend Micro Muddy Water March 2021) | Video Capture, PowerShell, Screen Capture |
S0496 | REvil | (Citation: Cylance Sodinokibi July 2019) (Citation: G Data Sodinokibi June 2019) (Citation: Group IB Ransomware May 2020) (Citation: Intel 471 REvil March 2020) (Citation: Kaspersky Sodin July 2019) (Citation: McAfee REvil October 2019) (Citation: McAfee Sodinokibi October 2019) (Citation: Picus Sodinokibi January 2020) (Citation: Secureworks GandCrab and REvil September 2019) (Citation: Secureworks REvil September 2019) (Citation: Sodin) (Citation: Sodinokibi) (Citation: Talos Sodinokibi April 2019) (Citation: Tetra Defense Sodinokibi March 2020) | Safe Mode Boot, Data Encrypted for Impact, Windows Command Shell, Disable or Modify Tools, PowerShell, Asymmetric Cryptography, Process Injection, Match Legitimate Name or Location, Modify Registry, Data Destruction, Query Registry, Visual Basic, Exfiltration Over C2 Channel, Service Stop, System Information Discovery, Native API, Malicious File, Create Process with Token, File and Directory Discovery, Obfuscated Files or Information, Drive-by Compromise, System Service Discovery, Windows Management Instrumentation, Deobfuscate/Decode Files or Information, Spearphishing Attachment, Ingress Tool Transfer, System Language Discovery, Token Impersonation/Theft, Web Protocols, Domain Groups, File Deletion, Inhibit System Recovery |
References
- Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
- Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.