The financially motivated GOLD MELODY threat group has been actively targeting organizations since 2017, exploiting vulnerabilities in unpatched internet-facing servers. This threat group operates as an initial access broker (IAB), selling access to compromised organizations to other cybercriminals for financial gain. The SecureWorks Counter Threat Unit (CTU) has analyzed the group’s activities and concluded that their attacks are opportunistic, aimed at maximizing profit rather than a targeted campaign for espionage or disruption.
GOLD MELODY employs a variety of tools once they gain access to a compromised environment. These tools include remote access trojans (RATs), web shells, built-in operating system utilities, and tunneling tools. Some of the specific tools observed in their attacks are Burp Suite Collabfiltrator, IHS Back-Connect backdoor, Wget, Mimikatz, TxPortMap, WinExe, GOTROJ, PAExec, AUDITUNNEL, PuTTY, and 7-Zip. Researchers have linked the behavior observed in five SecureWorks Incident Response (IR) engagements between July 2020 and July 2022 to GOLD MELODY.
The attacks conducted by GOLD MELODY exploit various vulnerabilities, including those affecting Flexera FlexNet, Oracle E-Business Suite, Apache Struts, Sitecore XP, and Oracle E-Business Suite. The group takes advantage of flaws in internet-accessible servers to gain initial access to the network. Once inside, they focus on establishing persistence by deploying JSP web shells. These web shells allow the threat actors to access the compromised server and issue commands for reconnaissance. In July 2022, the threat actors utilized a PowerShell script, leveraging the Burp Suite Collaborfiltrator extension, to decode a Base64-encoded web shell.
Despite GOLD MELODY’s efforts to evade detection, their attacks have been mitigated successfully in the five incidents investigated by researchers. Early discovery of the malicious activities prevented the group from achieving its goals. However, the large number of organizations targeted by GOLD MELODY is a cause for concern, highlighting the seriousness of this threat. The group’s reliance on unpatched servers accessible through the internet emphasizes the importance of effective patch management. Monitoring both the network perimeter and endpoints is a reliable and efficient strategy for detecting and stopping harmful activities when a threat group enters the network.
In view of the ongoing threat posed by groups like GOLD MELODY, it is crucial for organizations to stay informed about the latest news and developments in cybersecurity. By following reputable sources such as Google News, LinkedIn, Twitter, and Facebook, organizations can stay up to date with the latest threats and adopt proactive measures to protect their systems and data.
Source:
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiix139jd2gWKya7YLHG8EFeYGqb2KgDLynjeoOPE7eDvRpbe4nPxk_bqB2lhIglcKU7mUkbjFI-vWnCzv1zwHYmngqaQoUrOKo939hxVBj0HJDI6-GXr5KDmxJVLR-MNOWSZ4KVdAV_Ddi8wuEoQL-Ptogh8RJQ1t8CqDXUEJs5NI7WPIMk-t_2cNvwe3O/s16000/GOLD%20MELODY%20Threat%20Group.webp