A recent threat intelligence report, TGR-CRI-0045, has shed light on the advanced tactics and infrastructure used by a sophisticated initial access broker (IAB) group. This group, tracked as TGR-CRI-0045 and linked to the threat actor known as Gold Melody (also called UNC961 or Prophet Spider), has been implicated in a series of attacks targeting organizations across Europe and the United States. The main sectors affected include financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics.
Exploitation Methodology
At the heart of TGR-CRI-0045’s campaign is the exploitation of leaked cryptographic Machine Keys from ASP.NET web applications. These keys are essential for signing and validating data within ASP.NET environments. By acquiring these keys—often through leaks or poor security practices—the attackers were able to craft and sign malicious payloads that seamlessly bypassed standard security checks.
The group’s primary technique involved abusing the ASP.NET View State mechanism. By signing malicious View State payloads with the stolen Machine Keys, they could trigger deserialization attacks, resulting in arbitrary code execution directly on the targeted web servers. This method is particularly insidious, as it enables attackers to operate entirely in-memory, leaving minimal forensic traces and complicating detection efforts.
Tooling and Post-Exploitation Activity
Once initial access was established, TGR-CRI-0045 deployed a suite of custom tools designed for stealth and persistence:
- In-Memory Payloads: The attackers favored payloads that executed solely in system memory, reducing the likelihood of detection by traditional antivirus or endpoint security solutions.
- Reconnaissance Utilities: Specialized tools were used to map internal networks, enumerate assets, and identify further targets for lateral movement.
- Persistence Mechanisms: Scripts and utilities were employed to maintain long-term access, demonstrating the group’s adaptability and technical sophistication.
Command and Control Infrastructure
The operational infrastructure supporting TGR-CRI-0045’s activities was both robust and evasive. Key characteristics include:
- Encrypted Communications: All traffic between compromised hosts and attacker-controlled servers was encrypted, impeding network-based detection.
- Dynamic C2 Endpoints: The group utilized infrastructure capable of rapidly shifting command and control (C2) endpoints, complicating efforts to block or dismantle their operations.
- Opportunistic Targeting: Rather than focusing on a narrow set of victims, the group’s infrastructure facilitated broad, opportunistic campaigns across multiple industries and geographies.
Attribution and Threat Actor Profile
The TGR-CRI-0045 report attributes these activities to the Gold Melody group with medium confidence. This assessment is based on overlaps in indicators of compromise (IoCs), observed tactics, techniques, and procedures (TTPs), and patterns in victimology. Gold Melody is known for its focus on initial access brokerage, selling footholds to other criminal or nation-state actors.
Defensive Recommendations
Given the advanced nature of these attacks, organizations are urged to adopt a multi-layered defense strategy:
- Audit and Secure Machine Keys: Regularly review and rotate cryptographic keys used by web applications. Ensure keys are stored securely and monitor for unauthorized access or leaks.
- Monitor for View State Abuse: Implement monitoring for anomalous or unsigned View State data within ASP.NET applications, as this may indicate exploitation attempts.
- Enhance Network Segmentation: Reduce the risk of lateral movement by segmenting critical infrastructure and maintaining robust access controls.
- Incident Response Preparedness: Develop and regularly test incident response plans that address in-memory attack techniques and advanced persistence mechanisms.
