21 September 2023

Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks


Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

A cybercrime outfit known as Gold Melody, Prophet Spider or UNC961 exploits known vulnerabilities in the internet-exposed servers to compromise enterprise networks.

The group, which has been around since at least 2017, acts as an initial access broker (IAB) selling access to the hacked networks to other cybercriminals. In some cases, the initial access was used by third parties to deploy ransomware, SecureWorks Counter Threat Unit (CTU) said.

Gold Melody relies on web shells, built-in operating system utilities, and proprietary remote access trojans (RATs) and tunneling tools to facilitate its activity once inside a compromised environment.

The group’s arsenal includes a variety of tools such as Burp Suite Collabfiltrator, an extension used to exploit a vulnerable internet-facing server, IHS Back-Connect backdoor, the GotRoj RAT, the Responder tool used to harvest account details, Mimikatz, Wget, TxPortMap, WinExe, PAExec, PuTTY, 7-ZIP, and Auditunnel.

The gang has been observed exploiting known vulnerabilities in internet-exposed servers as initial access vectors, including Oracle E-Business and WebLogic flaws (CVE-2016-0545, CVE-2020-14882 and CVE-2020-14750), Sitecor (CVE-2021-42237), Apache Struts (CVE-2017-5638), Log4j (CVE-2021-4104), JBoss MQ Java Message Service (CVE-2017-7504), Citrix ShareFile (CVE-2021-22941).

The threat actor was also seen exploiting the Log4Shell vulnerability (CVE-2021-44228) to access a MobileIron Core server.

“Gold Melody conducts a considerable amount of scanning to understand a victim's environment,” the SecureWorks team said. “Scanning begins shortly after gaining access but is repeated and continued throughout the intrusion.”

The threat actor conducts scanning from the breached machine, although it was observed using the initially exploited vulnerability to conduct reconnaissance. In particular, in one intrusion the group executed reconnaissance commands via Apache Struts RCE vulnerability CVE-2017-5638, gathering system information by using the 'whoami' and 'ipconfig' commands.

“CTU analysis indicates that Gold Melody acts as a financially motivated IAB, selling access to other threat actors. The buyers subsequently monetize the access, likely through extortion via ransomware deployment,” the company said.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024