GOLD GILBERT
Objectives
Aliases
Tools
SUMMARY
GOLD GILBERT is the name used by the CTU to characterize a series of intrusions in 2014 focused on billing and illegitimate fraud payment transfers. Links to other open source reporting identifies this group as involved in classic '419 scams', and in 2014/15 CTU researchers assessed with moderate confidence that the group was based out of Nigeria.
Campaigns were characterized by spear phishing being used to install the DarkComet and Netwire RATs. The group has used commercially available loaders/decoders, such as the AutoIT-based DataScrambler, to enable these RATs to evade AV detection. GOLD GILBERT appears to concentrate on targeting purchasing staff when identified, and uses forged invoices and access to legitimate email accounts to conduct fraud.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.