GOLD HARVEST

GOLD HARVEST is a financially motivated cybercriminal threat group that initially targeted telecommunications, technology and business process outsourcing (BPO) companies with the ultimate objective of data theft and fraud. Some members of the group have also acted as an affiliate of the now-defunct ALPHV/BlackCat ransomware-as-a-service (RaaS) scheme, encrypting networks and stealing data for the purposes of extortion. GOLD HARVEST have been active since at least June 2022, when they were identified in a campaign targeting over 100 companies. Their targeting has since expanded to include a wider range of commercial organizations.

GOLD HARVEST predominantly gain access to targeted networks through social engineering, using SMS messages and phone calls to either direct users to malicious credential harvesting sites created using the 0ktapus phishing kit, or convincing them to download multiple legitimate remote monitoring and management (RMM) tools. This social engineering extends to the bypassing of multi-factor authentication (MFA) controls by either insisting on the user sharing their one-time password, or through MFA fatigue where the attacker will repeatedly push authentication requests to the victim’s device with the aim of coercing them into confirming their identity via notification. The group also conducts social engineering against mobile-carrier support staff to facilitate SIM swap attacks, as another method of bypassing SMS based MFA solutions.

Having bypassed MFA, GOLD HARVEST can register their own devices to the organizations trusted device list, thus providing persistence. Once access to the network has been achieved, GOLD HARVEST have been observed by third-party researchers elevating privileges and utilising a range of ISP and VPN providers to undertake reconnaissance of various environments including Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365 and AWS, and in some instances downloading tools to exfiltrate sensitive information such as VPN and MFA enrolment data from SharePoint and OneDrive. GOLD HARVEST use established legitimate penetration testing tools for discovery and utilize “Bring Your Own Vulnerable Driver” (BYOVD) techniques to deploy malicious drivers into the Windows kernel with the intention of disabling the capabilities of endpoint security products.

GOLD HARVEST demonstrates sophisticated social engineering capabilities, and operate using a wide range of legitimate commercial and open-source tools with a minimal reliance on custom malware to target organizations. This, in addition to their use of BYOVD techniques to hamper security detection products, make them an extremely persistent and effective adversary.