{"id":2125,"date":"2021-05-19T13:27:00","date_gmt":"2021-05-19T11:27:00","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2125"},"modified":"2023-12-20T11:34:10","modified_gmt":"2023-12-20T11:34:10","slug":"revil-ransomware-operator-a-time-zone-analysis","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/featured\/revil-ransomware-operator-a-time-zone-analysis\/","title":{"rendered":"REvil Ransomware Operator: A time zone analysis"},"content":{"rendered":"\n<p>In April 2021, an unidentified&nbsp;<a href=\"https:\/\/attack.mitre.org\/groups\/G0115\/\">Gold Southfield<\/a>&nbsp;operator carried out a Ransomware attack against a European company. The initial access is performed by Gold Cabin, an access broker, that deploys&nbsp;<a href=\"https:\/\/attack.mitre.org\/software\/S0483\/\">IceID<\/a>&nbsp;(Bokbot), a Remote Access Tool (RAT) malware[<a href=\"https:\/\/thedfirreport.com\/2021\/03\/29\/sodinokibi-aka-revil-ransomware\/\">link<\/a>].<\/p>\n\n\n\n<p>Once inside the company, the access broker passes privileges to the main operator who deploys the REvil ransomware. This threat actor uses typical escalation techniques and moves laterally using CobaltStrike, Mimikatz, and other tools.<\/p>\n\n\n\n<p>In this article, we focus on the&nbsp;<strong>anomaly related to the time zone on the attacker\u2019s machine<\/strong>. Our information on the attack operations that were performed identifies cyber activity over roughly 10 days.<\/p>\n\n\n\n<p>In line with the times of the attack shared also by other cybersecurity groups [<a href=\"https:\/\/thedfirreport.com\/2021\/03\/29\/sodinokibi-aka-revil-ransomware\/\">link<\/a>], we go ahead to investigating the actual times when the attack operations were performed, with surprising results. We are the first to identify that this piece of malware (<em><strong>csharp-streamer.exe<\/strong><\/em>) can be traced back to a Gold Southfield operator. Also, most surprisingly, despite REvil\u2019s mandate to work exclusively with Russian-speaking cybercriminals, we find that UTC time zone of the operations is UTC-8 (West Coast, US\/Canada).<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_11 counter-hierarchy counter-decimal ez-toc-transparent\" style=\"border:1px solid black;padding:10px;width:50%\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1\"><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"#Threat_Actors_involved_and_Profiles\" title=\"Threat Actors involved and Profiles \">Threat Actors involved and Profiles <\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"#Threat_actor_infrastructure\" title=\"Threat actor infrastructure\">Threat actor infrastructure<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-3\" href=\"#Review_of_working_hours\" title=\" Review of working hours  \"> Review of working hours  <\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-4\" href=\"#Concluding_remarks\" title=\"Concluding remarks\">Concluding remarks<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-5\" href=\"#Fortgale_Cyber_Defence\" title=\"Fortgale Cyber Defence\">Fortgale Cyber Defence<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-6\" href=\"#IOC_and_related_samples\" title=\"IOC and related samples\">IOC and related samples<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-threat-actors-involved-and-profiles\">Threat Actors involved and Profiles <\/h2>\n\n\n<div class=\"wp-block-image caption-align-center\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"694\" height=\"638\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/threatactors_incident.png\" alt=\"\" class=\"wp-image-4251\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/threatactors_incident.png 694w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/threatactors_incident-300x276.png 300w\" sizes=\"(max-width: 694px) 100vw, 694px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Fig. 1 &#8211; Involved Threat Actors<\/figcaption><\/figure>\n<\/div>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong><em>Gold Southfield<\/em><\/strong><em>&nbsp;(Pinchy Spider) is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups.<br> Gold Southfield operates the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims. REvil partners are recruited on semi-exclusive underground forums by the Russian-speaking Gold Southfield operators who refuse to work with English-speaking criminals.<br> In December 2019, Gold Southfield began operating a name-and-shame style website that uses stolen data from intrusions to generate additional leverage against victims.<\/em><\/p>\n<cite><em>Reference: <a href=\"https:\/\/attack.mitre.org\/groups\/G0115\/\" class=\"ek-link\">Link 1<\/a>, <a href=\"https:\/\/www.secureworks.com\/research\/threat-profiles\/gold-southfield\" class=\"ek-link\">Link 2<\/a><\/em><\/cite><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong><em>Gold Cabin<\/em><\/strong><em>&nbsp;is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. Gold Cabin uses malicious documents, often contained in password-protected archives delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. <\/em><\/p>\n<cite><em>Reference: <a href=\"https:\/\/attack.mitre.org\/groups\/G0127\/\" class=\"ek-link\">Link 1<\/a>, <a href=\"https:\/\/www.secureworks.com\/research\/threat-profiles\/gold-cabin\" class=\"ek-link\">Link 2<\/a><\/em><\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-threat-actor-infrastructure\">Threat actor infrastructure<\/h2>\n\n\n\n<p>First, we explain the threat actor\u2019s architecture and the attack details based on CobaltStrike Post-Exploitation Framework \u2013 a very common tool used in this type of cyber operation.<\/p>\n\n\n\n<p>The attack in a nutshell \u2013 our analysis:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First to discover that the &#8220;<strong><em>csharp-streamer.exe<\/em><\/strong>&#8221; code is related to the REvil ransomware attack (see below IOC of similar samples);<\/li>\n\n\n\n<li>Identified CobaltStrike <strong>C2 server and configuration<\/strong> (Fig.2, Section 2);<\/li>\n\n\n\n<li>Identified the <strong>UTC-8<\/strong> time zone setting (Fig. 3, Section 2);<\/li>\n\n\n\n<li>Analysis of the regular working times of the attackers across different time zones and (Fig. 4, Section 3).<\/li>\n<\/ul>\n\n\n\n<p>The CobaltStrike C2 server, located in Europe, belongs to a German company which offers hosting sevices. The threat actor used a remote host \u201cWIN-XXXX\u201d to connect to the internal server through an SSL tunnel. They used RDP\/SMB services and the compromised credentials to gain access to other systems in the infrastructure:<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-full caption-align-center\"><img decoding=\"async\" width=\"1024\" height=\"348\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/OpInfrastructure-1024x348-1.webp\" alt=\"\" class=\"wp-image-4253\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/OpInfrastructure-1024x348-1.webp 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/OpInfrastructure-1024x348-1-300x102.webp 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/OpInfrastructure-1024x348-1-768x261.webp 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p>Interestingly, RDP servers that received the malicious connections noted the UTC time difference between server and client, and logged it in Windows Event Log. <strong>This information places the \u201cWIN-XXXX\u201d host in UTC-8 time zone (West Coast, USA &amp; Canada), which in turn does not correspond to how Gold Southfield typically operates and recruits.&nbsp; <\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>REvil partners are recruited on semi-exclusive underground forums by the Russian-speaking operators of GOLD SOUTHFIELD, who refuse to work with English-speaking criminals.<\/em><\/p>\n<\/blockquote>\n\n\n\n<p><strong>UTC-8<\/strong>&nbsp;(USA \u2013 Canada) seems to not fit with threat actor profile.<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-full caption-align-center\"><img decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/timezone-1-1024x535-1.webp\" alt=\"\" class=\"wp-image-4254\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/timezone-1-1024x535-1.webp 1024w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/timezone-1-1024x535-1-300x157.webp 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/timezone-1-1024x535-1-768x401.webp 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><em>Fig. 3 &#8211; World Map Timezones<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-review-of-working-hours\"> Review of working hours  <\/h2>\n\n\n\n<p>The UTC time zone setting can be easily manipulated and is not a conclusive proof. So, when analysing the incident, we took into account also other information of the attack.<\/p>\n\n\n\n<p>Specifically, we evaluated if the threat actor\u2019s working time zone is compatible with the time zone of the cyber operations. Below, we compare the time of the offensive activities across different time zones.<\/p>\n\n\n\n<p>The first access (Day 1, 15:00 UTC-0) is made by Gold Cabin, an <strong>access broker<\/strong>&nbsp;that compromised a workstation (probably through an email attachment containing an IceID malware), and moved inside the server through privilege escalation activities, then sold access to the REvil operator.&nbsp;<\/p>\n\n\n\n<p>UTC-0 was used as a reference for the malicious activities:<\/p>\n\n\n\n<div class=\"wp-block-group alignwide\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<figure class=\"wp-block-gallery aligncenter has-nested-images columns-7 is-cropped caption-align-center wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"124\" height=\"534\" data-id=\"4263\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-6.png\" alt=\"\" class=\"wp-image-4263\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-6.png 124w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-6-70x300.png 70w\" sizes=\"(max-width: 124px) 100vw, 124px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><strong>UTC-8<br>Seattle<\/strong><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"124\" height=\"534\" data-id=\"4262\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-8-1.png\" alt=\"\" class=\"wp-image-4262\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-8-1.png 124w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-8-1-70x300.png 70w\" sizes=\"(max-width: 124px) 100vw, 124px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><strong>UTC-7<br>Los Angeles<\/strong><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"124\" height=\"534\" data-id=\"4261\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-7-1.png\" alt=\"\" class=\"wp-image-4261\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-7-1.png 124w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-7-1-70x300.png 70w\" sizes=\"(max-width: 124px) 100vw, 124px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><strong>UTC-5<br>New York<\/strong><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"139\" height=\"534\" data-id=\"4257\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-0-1.png\" alt=\"\" class=\"wp-image-4257\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-0-1.png 139w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC-0-1-78x300.png 78w\" sizes=\"(max-width: 139px) 100vw, 139px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"124\" height=\"534\" data-id=\"4264\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC3.png\" alt=\"\" class=\"wp-image-4264\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC3.png 124w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/UTC3-70x300.png 70w\" sizes=\"(max-width: 124px) 100vw, 124px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><strong>UTC+3<br>Moscow<\/strong><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"139\" height=\"534\" data-id=\"4265\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-5-1.png\" alt=\"\" class=\"wp-image-4265\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-5-1.png 139w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-5-1-78x300.png 78w\" sizes=\"(max-width: 139px) 100vw, 139px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><strong>UTC+8<br>Beijing<\/strong><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"124\" height=\"534\" data-id=\"4266\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-7.png\" alt=\"\" class=\"wp-image-4266\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-7.png 124w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/MicrosoftTeams-image-7-70x300.png 70w\" sizes=\"(max-width: 124px) 100vw, 124px\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\"><strong>UTC+10<br>Sydney<\/strong><\/figcaption><\/figure>\n<figcaption class=\"blocks-gallery-caption wp-element-caption\">Fig. 4 &#8211; Timezones and working hours<\/figcaption><\/figure>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-center\" id=\"h-concluding-remarks\">Concluding remarks<\/h2>\n\n\n\n<p>Our analysis shows that REvil operator is a sophisticated and well-organized threat actor, capable of quickly achieving persistence across multiple systems after initial access.<\/p>\n\n\n\n<p>Most notably, the ransomware attack operators always worked within a window of 2 hours per day (UTC-0), except for Days 8 and 9 when system administrators are typically off-duty:<\/p>\n\n\n\n<table style=\"border-collapse: collapse;width: 100%;height: 89px\">\n<tbody>\n<tr style=\"height: 37px\">\n<td style=\"width: 50%;text-align: center;background-color: #04144a;height: 37px\"><strong><span style=\"color: #ffffff\">Day<\/span><\/strong><\/td>\n<td style=\"width: 50%;text-align: center;background-color: #04144a;height: 37px\"><strong><span style=\"color: #ffffff\">Time of Cyber Attack<\/span><\/strong><\/td>\n<\/tr>\n<tr style=\"height: 26px\">\n<td style=\"width: 50%;text-align: center;height: 26px\">1 , 2 , 3 , 7<\/td>\n<td style=\"width: 50%;text-align: center;height: 26px\">19:00 \u2013 21:00<\/td>\n<\/tr>\n<tr style=\"height: 26px\">\n<td style=\"width: 50%;text-align: center;height: 26px\">8-9 (Ransomware)<\/td>\n<td style=\"width: 50%;text-align: center;height: 26px\">21:00 \u2013 01:00<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n<p>We observe that the attacker\u2019s operations can have a range of up to 6 hours. In addition,&nbsp;we note that there were no activities on Saturday and Sunday.<\/p>\n\n\n\n<p>The timing of the operations suggest that the threat actor(s) may be located in Eastern Europe (UTC+3, from 22:00 to 4:00), but we also note that US West Coast fits these working hours (UTC-8, from&nbsp;11:00 to 17:00).<\/p>\n\n\n\n<p>The information published in this article is our assessment of the incident and hacking activity.&nbsp;<strong>We do not have enough data to determine the actual location of the REvil operator.<\/strong>&nbsp;We think this could be an interesting starting point for further investigations.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<h3 class=\"wp-block-heading has-text-align-center\" id=\"h-fortgale-cyber-defence\">Fortgale Cyber Defence<\/h3>\n\n\n\n<p class=\"has-text-align-center\">Fortgale provides specialized managed defence services\nfor advanced protection against cyber attacks. We are an industry-leading\ncompany with a specialist team in Cyber Threat Intelligence and Threat Hunting.<\/p>\n\n\n\n<p class=\"has-text-align-center\">For more information: <a class=\"ek-link ek-link\" href=\"mailto:fort@fortgale.com\">contact<\/a><\/p>\n<\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-center\" id=\"h-ioc-and-related-samples\"><strong>IOC<\/strong> and related samples<\/h3>\n\n\n\n<figure class=\"wp-block-table alignwide caption-align-center\"><table><tbody><tr><td class=\"has-text-align-left\" data-align=\"left\"> <strong>Similar samples<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>C2 IP<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>csharp-streamer.exe:<\/strong> [<a href=\"https:\/\/www.virustotal.com\/gui\/file\/ad5c06b52b468711f4f1ce1bf6957506b805b07e52c9be331035536672505160\/detection\">VT-1<\/a>]<br><strong>MD5<\/strong> 351ba5a029f2671ddbc62bbb35588612<br><strong>SHA-1<\/strong> e5f1d22ad78ba2d0c5bbd0afae162837368ebcb4<br><strong>SHA-256<\/strong> ad5c06b52b468711f4f1ce1bf6957506b805b07e52c9be331035536672505160<br><strong>csharp-streamer.exe: <\/strong>[<a href=\"https:\/\/www.virustotal.com\/gui\/file\/18458972b8917f358215ac7172aae62bc4438281614779dc264acc1c88629988\/detection\" class=\"ek-link\">VT-2<\/a>]<br><strong>MD5<\/strong> c00afc74e9424d9848fd8359a73415d3<br><strong>SHA-1<\/strong> 2a76c44b8f5c2780a7245051d2d51e1592ec7a9f<br><strong>SHA-256<\/strong> 18458972b8917f358215ac7172aae62bc4438281614779dc264acc1c88629988<br><strong>csharp-streamer.exe: <\/strong>[<a href=\"https:\/\/www.virustotal.com\/gui\/file\/58939d19a56dd6da9947e72360ed50704475c5f0aa350f5ccce3bbc4c9a0e6c5\/detection\">VT-3<\/a>]<br><strong>MD5<\/strong> 5dd7bdf63e81cc08c75b6b54d581b48d<br><strong>SHA-1<\/strong> a13f9e9372ce4efaa6a0e2844347897818dc2ebb<br><strong>SHA-256<\/strong> 58939d19a56dd6da9947e72360ed50704475c5f0aa350f5ccce3bbc4c9a0e6c5<br><strong>csharp-streamer.exe: <\/strong>[<a href=\"https:\/\/www.virustotal.com\/gui\/file\/3066e57cfadd3d127aa951562d6c1f50d97a9a0f2bdfbe39e83dc71971811384\/detection\">VT-4<\/a>]<br><strong>MD5<\/strong> 51f44e3c6ea8b85b6abbe7ff466c480e<br><strong>SHA-1<\/strong> d5a448d91f0e73d17f28b4a35979f013d0215be5<br><strong>SHA-256<\/strong> 3066e57cfadd3d127aa951562d6c1f50d97a9a0f2bdfbe39e83dc71971811384<br><strong>csharp-streamer.exe: <\/strong>[<a href=\"https:\/\/www.virustotal.com\/gui\/file\/80702e892a2f99da35e8a5a36bb7a2789f3642020c87bc72d238841045d71e47\/detection\">VT-5<\/a>]<br><strong>MD5<\/strong> 77d3f27aefa5424ca737dd4491b9bdf6<br><strong>SHA-1<\/strong> 85524d6166471354547dccf8ca8d03210b34a037<br><strong>SHA-256<\/strong> 80702e892a2f99da35e8a5a36bb7a2789f3642020c87bc72d238841045d71e47 <\/td><td class=\"has-text-align-left\" data-align=\"left\">136.144.245.9<br>109.248.144.72 <\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>In April 2021, an unidentified&nbsp;Gold Southfield&nbsp;operator carried out a Ransomware attack against a European company. The initial access is performed by Gold Cabin, an access broker, that deploys&nbsp;IceID&nbsp;(Bokbot), a Remote Access Tool (RAT) malware[link]. Once inside the company, the access broker passes privileges to the main operator who deploys the REvil ransomware. This threat actor [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3895,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2515],"tags":[20,3068,51,62,72,102,165,280,283,295,345,350,359,369,370],"class_list":["post-2125","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","tag-actor","tag-attention","tag-beacon","tag-canada","tag-cobaltstrike","tag-cyberattack","tag-hacker","tag-raas","tag-ransomware","tag-revil","tag-teamserver","tag-threat","tag-time-zone","tag-usa","tag-utc"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2125"}],"version-history":[{"count":7,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2125\/revisions"}],"predecessor-version":[{"id":7053,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2125\/revisions\/7053"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3895"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}