GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925)	Attack Pattern	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	1
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	1
GOLD SOUTHFIELD - G0115 (c77c5576-ca19-42ed-a36f-4b4486a84133)	Intrusion Set	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	2
REvil - S0496 (ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	2
ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	3
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3