Cyber Group ‘Gold Melody’ Sells Compromised Access for Ransomware Attacks

September 21, 2023

SecureWorks Counter Threat Unit (CTU) has revealed a financially motivated cybercrime group known as Gold Melody, Prophet Spider, or UNC961, that operates as an initial access broker (IAB). The group has been active since 2017, exploiting vulnerabilities in unpatched internet-facing servers and selling access to these compromised organizations to other adversaries for subsequent attacks, including ransomware.

The group's operations suggest opportunistic attacks for financial gain rather than state-sponsored campaigns for espionage or disruption. Gold Melody has been associated with attacks exploiting security flaws in various servers, including JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-2021-22205), Citrix ShareFile Storage Zones Controller (CVE-2021-22941), Atlassian Confluence (CVE-2021-26084), ForgeRock AM (CVE-2021-35464), and Apache Log4j (CVE-2021-44228).

Since mid-2020, the group has expanded its victimology footprint to include retail, health care, energy, financial transactions, and high-tech organizations in North America, Northern Europe, and Western Asia. Mandiant's analysis published in March 2023 noted that UNC961's intrusion activity often preceded the deployment of Maze and Egregor ransomware by different actors. The group was described as resourceful and cost-effective in its initial access operations, exploiting recently disclosed vulnerabilities using publicly available exploit code.

Gold Melody employs a diverse arsenal of techniques, including web shells, built-in operating system software, and publicly available utilities. It also uses proprietary remote access trojans (RATs) and tunneling tools such as GOTROJ, BARNWORK, HOLEDOOR, DARKDOOR, AUDITUNNEL, HOLEPUNCH, LIGHTBUNNY, and HOLERUN to execute arbitrary commands, gather system information, and establish a reverse tunnel with a hard-coded IP address.

SecureWorks linked Gold Melody to five intrusions between July 2020 and July 2022, which involved the abuse of different set of flaws, including those impacting Oracle E-Business Suite (CVE-2016-0545), Apache Struts (CVE-2017-5638), Sitecore XP (CVE-2021-42237), and Flexera FlexNet (CVE-2021-4104) to gain initial access. After gaining a foothold, the group deploys web shells for persistence, creates directories in the compromised host to stage the tools used in the infection chain, and conducts considerable scanning to understand the victim's environment.

Despite the group's efforts, all five attacks were ultimately unsuccessful. Gold Melody operates as a financially motivated IAB, selling access to other threat actors who then monetize the access, likely through ransomware deployment. The group's reliance on exploiting vulnerabilities in unpatched internet-facing servers underscores the importance of robust patch management.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.