GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925)	Attack Pattern	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	3
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3