A cybercrime outfit known as Gold Melody, Prophet Spider or UNC961 exploits known vulnerabilities in the internet-exposed servers to compromise enterprise networks.
The group, which has been around since at least 2017, acts as an initial access broker (IAB) selling access to the hacked networks to other cybercriminals. In some cases, the initial access was used by third parties to deploy ransomware, SecureWorks Counter Threat Unit (CTU) said.
Gold Melody relies on web shells, built-in operating system utilities, and proprietary remote access trojans (RATs) and tunneling tools to facilitate its activity once inside a compromised environment.
The group’s arsenal includes a variety of tools such as Burp Suite Collabfiltrator, an extension used to exploit a vulnerable internet-facing server, IHS Back-Connect backdoor, the GotRoj RAT, the Responder tool used to harvest account details, Mimikatz, Wget, TxPortMap, WinExe, PAExec, PuTTY, 7-ZIP, and Auditunnel.
The gang has been observed exploiting known vulnerabilities in internet-exposed servers as initial access vectors, including Oracle E-Business and WebLogic flaws (CVE-2016-0545, CVE-2020-14882 and CVE-2020-14750), Sitecor (CVE-2021-42237), Apache Struts (CVE-2017-5638), Log4j (CVE-2021-4104), JBoss MQ Java Message Service (CVE-2017-7504), Citrix ShareFile (CVE-2021-22941).
The threat actor was also seen exploiting the Log4Shell vulnerability (CVE-2021-44228) to access a MobileIron Core server.
“Gold Melody conducts a considerable amount of scanning to understand a victim's environment,” the SecureWorks team said. “Scanning begins shortly after gaining access but is repeated and continued throughout the intrusion.”
The threat actor conducts scanning from the breached machine, although it was observed using the initially exploited vulnerability to conduct reconnaissance. In particular, in one intrusion the group executed reconnaissance commands via Apache Struts RCE vulnerability CVE-2017-5638, gathering system information by using the 'whoami' and 'ipconfig' commands.
“CTU analysis indicates that Gold Melody acts as a financially motivated IAB, selling access to other threat actors. The buyers subsequently monetize the access, likely through extortion via ransomware deployment,” the company said.