GOLD SOUTHFIELD
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Pinchy Spider | (Citation: CrowdStrike Evolution of Pinchy Spider July 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020) |
| Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020) |
| Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0591 | ConnectWise | (Citation: Anomali Static Kitten February 2021) (Citation: ScreenConnect) (Citation: Tetra Defense Sodinokibi March 2020) (Citation: Trend Micro Muddy Water March 2021) | Screen Capture, Video Capture, PowerShell |
| S0496 | REvil | (Citation: Cylance Sodinokibi July 2019) (Citation: G Data Sodinokibi June 2019) (Citation: Group IB Ransomware May 2020) (Citation: Intel 471 REvil March 2020) (Citation: Kaspersky Sodin July 2019) (Citation: McAfee REvil October 2019) (Citation: McAfee Sodinokibi October 2019) (Citation: Picus Sodinokibi January 2020) (Citation: Secureworks GandCrab and REvil September 2019) (Citation: Secureworks REvil September 2019) (Citation: Sodin) (Citation: Sodinokibi) (Citation: Talos Sodinokibi April 2019) (Citation: Tetra Defense Sodinokibi March 2020) | Windows Management Instrumentation, Fileless Storage, Encrypted/Encoded File, Match Legitimate Resource Name or Location, Service Stop, Malicious File, Safe Mode Boot, Domain Groups, Spearphishing Attachment, System Service Discovery, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Mutual Exclusion, Modify Registry, Create Process with Token, File and Directory Discovery, Token Impersonation/Theft, Exfiltration Over C2 Channel, PowerShell, Disable or Modify Tools, Data Encrypted for Impact, Asymmetric Cryptography, System Language Discovery, Query Registry, Windows Command Shell, Data Destruction, File Deletion, Drive-by Compromise, Web Protocols, Visual Basic, Ingress Tool Transfer, Inhibit System Recovery |
References
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.
- Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024.
- Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.