MITRE ATT&CK - Преступная группа GOLD SOUTHFIELD

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)

ID: G0115

Associated Groups:

Version: 1.1

Created: 22 Sep 2020

Last Modified: 26 Apr 2021

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020)
Enterprise	T1195	.002	Supply Chain Compromise: Compromise Software Supply Chain	GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)

ID	Name	References	Techniques
Software
S0591	ConnectWise	(Citation: Anomali Static Kitten February 2021) (Citation: ScreenConnect) (Citation: Tetra Defense Sodinokibi March 2020) (Citation: Trend Micro Muddy Water March 2021)	Video Capture, PowerShell, Screen Capture
S0496	REvil	(Citation: Cylance Sodinokibi July 2019) (Citation: G Data Sodinokibi June 2019) (Citation: Group IB Ransomware May 2020) (Citation: Intel 471 REvil March 2020) (Citation: Kaspersky Sodin July 2019) (Citation: McAfee REvil October 2019) (Citation: McAfee Sodinokibi October 2019) (Citation: Picus Sodinokibi January 2020) (Citation: Secureworks GandCrab and REvil September 2019) (Citation: Secureworks REvil September 2019) (Citation: Sodin) (Citation: Sodinokibi) (Citation: Talos Sodinokibi April 2019) (Citation: Tetra Defense Sodinokibi March 2020)	Safe Mode Boot, Data Encrypted for Impact, Windows Command Shell, Disable or Modify Tools, PowerShell, Asymmetric Cryptography, Process Injection, Match Legitimate Name or Location, Modify Registry, Data Destruction, Query Registry, Visual Basic, Exfiltration Over C2 Channel, Service Stop, System Information Discovery, Native API, Malicious File, Create Process with Token, File and Directory Discovery, Obfuscated Files or Information, Drive-by Compromise, System Service Discovery, Windows Management Instrumentation, Deobfuscate/Decode Files or Information, Spearphishing Attachment, Ingress Tool Transfer, System Language Discovery, Token Impersonation/Theft, Web Protocols, Domain Groups, File Deletion, Inhibit System Recovery

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

GOLD SOUTHFIELD

Associated Group Descriptions

Techniques Used

Software

References