'Gold Melody' Access Broker Plays on Unpatched Servers' Strings

A initial access broker (IAB) is still running rampant despite being tracked for seven years by researchers, and despite striking up a predictable tune when it comes to the tools and tactics used to compromise organizations (and pave the way for follow-on ransomware attacks).

Between July 2020 and July 2022, Secureworks identified five separate intrusions by the group it tracks as "Gold Melody" (aka UNC961 to Mandiant, and Prophet Spider to CrowdStrike). Each of the attacks was snuffed out early, thanks in part to the group's extensive yet predictable tactics, techniques, and procedures (TTPs), researchers have noted.

Yet to Rafe Pilling, director of threat research for Secureworks' Counter Threat Unit, "the thing that stood out is they are quite prolific, and consistent in their tradecraft."

Gold Melody's M.O.: Low-Hanging Fruit

At every step of the way, Gold Melody is driven by opportunism.

It begins with the targets themselves: organizations running unpatched, Internet-facing servers.

The precise nature of the vulnerability doesn't seem to matter much. In recent years, the group has exploited CVE-2021-42237 — a critical 9.8-rated bug in the Sitecore content management platform; CVE-2017-5638 — another critical 10 out of 10-rated flaw affecting Apache Struts; the infamous Log4Shell vulnerability, and more. Each of these vulnerabilities was publicly known and patched, often years before Gold Melody exploited them in delinquent IT environments.

Following initial intrusion, the group typically attempts to establish persistence with Jakarta Server Pages (JSP) Web shells. In one case in 2020, it used the Perl-based IHS Back-Connect backdoor.

Throughout the intrusion, Gold Melody performs reconnaissance on the victim environment, using Windows or Linux commands to display information about the host machine, user, directories, and more. Then it attempts to harvest credentials, for example, by using the Mimikatz pen-testing tool.

Besides Mimikatz, Gold Melody has a suite of other open source tools at its disposal — like Wget, for retrieving files from a remote server — as well as those from the cybercrime underground — like "GOTROJ," a Golang-based remote access Trojan (RAT) useful in establishing persistence, performing reconnaissance, and executing arbitrary commands on a host machine.

The Reason to Fear IABs

Historically, once Gold Melody is thoroughly ensconced in its target's environment, it will hand off control to a ransomware actor, for a price.

In 2020 and 2021, CrowdStrike observed attacks that led to the deployment of Egregor and MountLocker ransomware. Similarly, Mandiant observed a compromise that enabled Gold Melody's partners to install CryptoDefense ransomware. In all of these cases, the ransomware arrived in target networks anywhere from a couple of weeks to several months after Gold Melody's job was done.

So even if Gold Melody itself doesn't strike fear into the heart, its friends will. That's why Pilling emphasizes the simple steps companies can take to snuff out the danger early, like "patching the perimeter, your Internet facing systems — that vulnerability management piece is super important."

And, he adds, "in these cases, we're able to identify this activity at an early stage before it could go further. So having that kind of broad visibility across your endpoint state — across network connections, and other cloud solutions — is vital for early detection, before things get out of control."