GOLD DRAKE

GOLD DRAKE, also known as Evil Corp, is a financially motivated cybercriminal threat group that operated the Dridex (also known as Bugat v5) botnet since July 2014. In December 2019, the U.S. Department of Justice indicted two Russian nationals, Maksim Yakubets and Igor Turashev, for their ongoing roles in the operation of Dridex.

From July 2017 to early 2020, GOLD DRAKE developed and distributed the BitPaymer ransomware during post-intrusion attacks facilitated by Dridex. From May 2020, GOLD DRAKE developed and distributed the WastedLocker ransomware. Between December 2020 until around March 2021, GOLD DRAKE distributed the Hades, Phoenix CryptoLocker and Payload.Bin ransomware in name-and-shame ransomware attacks. These changes in ransomware were likely a deliberate response to the December 2019 decision by the U.S. Treasury to sanction Evil Corp, with the group deciding to abandon signature tools and modify their intrusion techniques to avoid victims necessarily realizing that they were paying GOLD DRAKE.

Individual operators of GOLD DRAKE have been involved in malware-aided financial fraud since at least early 2011 and are former affiliates of the GOLD EVERGREEN threat group. GOLD EVERGREEN, also known as The Business Club, operated the Zeus and Gameover Zeus botnets until international law enforcement action in May 2014.

Historically, GOLD DRAKE distributed Dridex in high-volume campaigns intended to infect large numbers of individual victims. Beginning in June 2016, the group consistently decreased the cadence of distribution campaigns, using Dridex instead for more targeted attacks. Despite facing close scrutiny after key members were indicted, the high-volume campaigns paradoxically resumed in early 2020, with distribution via spam emails from GOLD ESSEX's Cutwail botnet, second-stage downloads from instances of Gozi ISFB and GOLD CRESTWOOD's Emotet botnet, drive-by downloads using SocGholish, and a variety of other methods.

When GOLD DRAKE swapped BitPaymer for WastedLocker in May 2020, they abandoned use of Dridex, instead preferring to rely on PowerShell scripts distributed by SocGholish to execute payloads based on Donut and the Covenant post-exploitation framework. With Hades attacks, GOLD DRAKE made extensive use of Cobalt Strike, as well as other tools including Mimikatz, Advanced Port Scanner, PsExec, Metasploit, MSBuild, batch scripts to repeatedly stop services and clear event logs, MEGASync for data exfiltration, RDP, and reverse SOCKS proxies. SocGholish has continued to be used for initial access, although CTU researchers also observed Hades ransomware attacks in early 2021 where stolen credentials were used as the initial access vector.

CTU researchers assess that in early 2019, some GOLD DRAKE operators in possession of the BitPaymer and Dridex source code formed the GOLD HERON threat group. This new group operated the DoppelPaymer ransomware from June 2019 until May 2021 until it was replaced with the Grief ransomware, and still use their Dridex fork (often referred to as Dridex 2.0 or DoppelDridex).