GOLD DUPONT

GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) during some intrusions. Beginning in July 2020 and continuing for several months, the group also used GOLD SWATHMORE's IcedID (Bokbot) malware as an IAV in some intrusions.

GOLD DUPONT uses the Metasploit and Cobalt Strike offensive security tools (OST), as well as the bespoke PyXie RAT malware, for post-intrusion activities and maintaining persistent access to the environment. The custom Vatet loader used by GOLD DUPONT uses signed executables to load modified DLLs that load and create persistence for their OST or RAT payloads. ArtifactExx, another bespoke malware created by the group, is deployed through Cobalt Strike and can launch additional malware payloads through service creation, WinRM, or WMIC. The SystemBC malware may also be used to allow the threat actors to tunnel connections through an infected host onto the victim network. These tools are used to acquire privileged Active Directory credentials, move laterally to domain controller(s), deploy Cobalt Strike stagers to a maximum number of Windows endpoints, and finally to deploy the 777 ransomware. In mid-2020 the group began using an ELF executable port of the 777 ransomware to target Linux-based systems primarily VMware ESXi hypervisors.

GOLD DUPONT intrusions typically progress quickly, with dwell times of one to three days after initial access is established until ransomware is deployed. During this time the threat actors work to identify and compromise critical assets. It is also believed credentials to third parties are collected and later used for attacks against those entities. Historically, despite frequently being in proximity to highly valuable data, GOLD DUPONT had not been observed to inspect or exfiltrate data from victims. Beginning around August 2020 the group began regularly exfiltrating data from victim's networks and using proof of their possession to increase leverage over victims. In November 2020 the group created a name and shame website on the Tor network where they post portions of data stolen during intrusions. In one case a victim's data was posted within five days of the ransomware incident. CTU researchers have observed the threat actors re-entering victim environments to observe and disrupt remediation efforts.

Early 777 ransom notes were near facsimiles of the note used by the Defray ransomware spread through spam email from 2017 to 2018. Similarly, the commands used by GOLD DUPONT to complicate recovery efforts and destroy forensic evidence are copied from previous Defray activity. Analysis of the earlier Defray ransomware and the current 777 ransomware samples show no similarities and CTU researchers asses they are independent works, but the similarity of the associated TTPs suggest that both are operated by GOLD DUPONT. Malware used by the group shares code with the Shifu malware and CTU researchers assess with moderate confidence that GOLD DUPONT is the group responsible for historical Shifu activity.