Threat Research

REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence

Securonix

Secureworks CTU analyzed REvil samples tied to the GOLD SOUTHFIELD infrastructure, finding that the threat actor appears to be actively developing REvil and even has access to its source code. The March 2022 sample shows notable changes including updated string decryption logic, new command-line controls, updated keys, targeted credentials, and the use of Tor domains for leakage and payment, indicating a reemergence of REvil. #REvil #GOLD_SOUTHFIELD #Tor

Keypoints

  • CTU evidence suggests REvil is under active development and may have regained access to its source code, signaling a potential reemergence of GOLD SOUTHFIELD activity.
  • The March 2022 sample updates string decryption logic to rely on a new command-line argument (-t) and requires a specific 4-byte value to decrypt strings; missing or incorrect values terminate the executable.
  • The March 2022 sample raises the pre-defined value to 798690758 (0x2F9B0DC6) and demonstrates RC4 key derivation based on this value, affecting how strings are decrypted.
  • Hard-coded public keys are updated in the March 2022 sample, altering how artifacts are secured and how the session key and related data are encrypted.
  • The configuration storage location shifts to a new offset (0x50) with a 32-byte key, while the overall structure (decryption key, CRC, data length, RC4-encrypted config) remains the same.
  • Affiliate tracking data format changes from integers to GUIDs; pid is unused and replaced by a duplicate sub reference, indicating updated affiliate data handling.
  • In October 2021 to March 2022, prohibited-region checks were removed and the accs element begins carrying targeted credential strings to enable remote access before encryption.
  • The ransom note now includes new Tor domains for the leak site and payment site, reflecting infrastructure reactivation in April 2022.

MITRE Techniques

  • [T1059.003] Command-Line – The March 2022 sample uses a pre-defined four-byte integer value passed via a new “-t” command-line argument, and fails if not provided; “This value is passed to the REvil executable via a new “-t” command-line argument.”
  • [T1027] Obfuscated/Compressed Files and Information – String decryption and RC4-based key length calculation updated to rely on runtime data passed via the command line; “updates string decryption logic to rely on new command-line argument” and “calculate the RC4 key length.”
  • [T1112] Modify Registry – The March 2022 sample alters registry storage keys and value names (e.g., 3OG, b2vr, Elnzo, 16uKrF7, E7w3RRdi) to store encryption-related data and configuration; “The registry key that stores encryption-related information was set to SOFTWAREJnX5ywJ. The value names stored within this key also changed.”
  • [T1090.003] Tor – The ransom note and attacker infrastructure reference Tor domains for leak and payment sites; “REvil leak site: blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd . onion” and “REvil ransom payment site: landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad . onion”
  • [T1078] Valid Accounts – The accs configuration element contains credentials meant to authenticate to protected network resources, indicating use of valid accounts for movement or access; “the credentials appear to be targeted.”
  • [T1486] Data Encrypted for Impact – The sample includes session keys and encrypted data structures (e.g., “session private key encrypted with the threat actor’s public key” and “Encrypted ‘stat’ JSON data”); “encrypted session private key” and “Encrypted ‘stat’ JSON data” are described in the March 2022 sample.

Indicators of Compromise

  • [IOC Type] MD5 hash – March 2022 sample: db2401798c8b41b0d5728e5b6bbb94cf; April 2022 sample: ad49374e3c72613023fe420f0d6010d9
  • [IOC Type] SHA1 hash – March 2022 sample: 6620f5647a14e543d14d447ee2bd7fecc03be882; April 2022 sample: eb563ab4caca7e19bdeee807b025ab2d54e23624
  • [IOC Type] SHA256 hash – March 2022 sample: 861e2544ddb9739d79b265aab1e327d11617bc9d9c94bc5b35282c33fcb419bc; April 2022 sample: 0c10cf1b1640c9c845080f460ee69392bfaac981a4407b607e8e30d2ddf903e8
  • [IOC Type] Domain name – REvil leak site: blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion; Ransom payment site: landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad.onion

Read more: https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence