Friday, December 6, 2024
Homecyber securityGold Melody Attacking Organizations With Burp Extension, Mimikatz, and Other Tools

Gold Melody Attacking Organizations With Burp Extension, Mimikatz, and Other Tools

Published on

SIEM as a Service

The financially motivated GOLD MELODY threat group has been active at least since 2017, attacking organizations by taking advantage of flaws in unpatched internet-facing servers.

A threat group serves as an initial access broker (IAB) by selling access to organizations that have been compromised to other cybercriminals for their gain.

“The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption,” said SecureWorks Counter Threat Unit (CTU).

- Advertisement - SIEM as a Service

Tools Used By The Group

Once within a compromised environment, GOLD MELODY uses proprietary remote access trojans (RATs), web shells, built-in operating system utilities, and tunneling tools. The tools observed are:

Burp Suite Collabfiltrator, IHS Back-Connect backdoor, Wget, Mimikatz, TxPortMap, WinExe, GOTROJ, PAExec, AUDITUNNEL, PuTTY and 7-Zip, Responder.

The behavior seen in five Secureworks IR engagements between July 2020 and July 2022 was linked by researchers to GOLD MELODY.

Tools and TTPs observed across five Secureworks IR engagements

The attacks observed involved taking advantage of a variety of issues, including those affecting Flexera FlexNet (CVE-2021-4104), Oracle E-Business Suite (CVE-2016-0545), Apache Struts (CVE-2017-5638), Sitecore XP (CVE-2021-42237), and Oracle E-Business Suite (CVE-2016-0545).

Particularly, after breaking into a network by taking advantage of flaws in servers that are accessible over the internet, GOLD MELODY tries to build persistence within the infected network. For persistence, GOLD MELODY deployed JSP web shells. 

The threat actors were able to access the server via this web shell and come back frequently to issue commands for reconnaissance. To decode the Base64-encoded web shell in July 2022, the threat actors created a PowerShell script utilizing the Burp Suite Collaborfiltrator extension.

Snippet from Collabfiltrator PowerShell script to decode Base64-encoded web shell

Mitigation

Defense evasion efforts by GOLD MELODY were unsuccessful. In the five intrusions that researchers looked into, early discovery of the malicious activities seems to have stopped the criminal group from accomplishing its goals.

The large number of organizations that GOLD MELODY has targeted implies that the organization poses a serious threat. Its dependence on exploiting flaws in unpatched servers that are accessible through the internet highlights the significance of effective patch management.

Monitoring the perimeter and endpoints is a reliable and efficient method for stopping harmful activities when a group enters the network.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...