1. Home
  2. Groups
  3. GOLD SOUTHFIELD

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[1][2][3][4]

ID: G0115
Associated Groups: Pinchy Spider
Contributors: Thijn Bukkems, Amazon
Version: 2.0
Created: 22 September 2020
Last Modified: 16 April 2025

Associated Group Descriptions

Name Description
Pinchy Spider

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.[1][2][3]
Enterprise T1199 信任关系

GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.[1]
Enterprise T1190 利用公开应用程序漏洞

GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.[5]
Enterprise T1133 外部远程服务

GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.[1]

Enterprise T1113 屏幕捕获

GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.[5]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.[5]
Enterprise T1219 远程访问软件

GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.[5]
Enterprise T1566 钓鱼

GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[1]

Software

ID Name References Techniques
S0591 ConnectWise [6][5] 命令与脚本解释器: PowerShell, 屏幕捕获, 视频捕获
S0496 REvil [1][2] Loss of Productivity and Revenue, Masquerading, Remote Services, Scripting, Service Stop, Standard Application Layer Protocol, Theft of Operational Information, User Execution, Windows管理规范, 伪装: Match Legitimate Name or Location, 修改注册表, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 妨碍防御: Safe Mode Boot, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 执行保护: Mutual Exclusion, 数据加密以实现影响, 数据销毁, 文件和目录发现, 服务停止, 本机API, 权限组发现: Domain Groups, 查询注册表, 浏览器攻击, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Fileless Storage, 用户执行: Malicious File, 移除指标: File Deletion, 系统位置发现: System Language Discovery, 系统信息发现, 系统恢复抑制, 系统服务发现, 访问令牌操控: Create Process with Token, 访问令牌操控: Token Impersonation/Theft, 输入工具传输, 进程注入, 通过C2信道渗出, 钓鱼: Spearphishing Attachment

References

  1. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  2. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  3. Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.
  1. Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.
  2. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  3. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.