August 02, 2018
Goldfin Security Alert
By: Josh Ray


A number of security vendors reported a series of cyberattacks involving the use of a malware family called SOCKSBOT and claimed to be associated with CANDLEFISH (also known as Patchwork, Dropping Elephant). However, as disclosed in our report, research by Accenture Security iDefense analysts shows that SOCKSBOT was used by a threat group in an 18-month-long campaign dubbed Goldfin, spoofing financial institutions in the Commonwealth of Independent States (CIS) countries since as early as February 2017 to as recently as May 2018. Based on the tactics, techniques and procedures (TTPs) observed in this campaign, iDefense assesses with moderate confidence that the reported campaign is unlikely to be associated with CANDLEFISH.

In addition, iDefense analysts have identified infrastructure overlap and the shared use of a PowerShell obfuscation technique with FIN7. Although these observations are not enough to attribute the Goldfin campaign to FIN7, iDefense assesses these to be interesting and noteworthy observations that further highlight the complex relationships that exist behind-the-scenes in organized cybercrime.



The report identifies the modus operandi of a highly active threat group that is targeting financial institutions for financial gain. Security operation center (SOC) analysts and engineers can use this report's detailed information around the workings of a malware family and indicators of compromise (IoCs) to contain or mitigate the discussed threat through monitoring or blocking. SOC analysts can use the information provided in the analysis and mitigation sections of this cyber advisory report for hunting activities for systems that may have been compromised already. Analysts and security engineers can use the IoCs by adding them to hunting lists on endpoint detection and response (EDR) solutions as well as network- and host-based blacklists to detect and deny malware implantation and command-and-control (C2) communication. Intelligence analysts may want to use the information provided in this cyber advisory report to better inform their own analyses. The information provided can also help inform ongoing intelligence analyses and forensic investigations, particularly for compromise discovery, damage assessment, and attribution. Management and executive leadership may wish to assess the risks associated with the threats described to make the appropriate operational and policy decisions.


To effectively defend against the threats identified in this report, we recommend:

  • Block the access URLs and IP addresses listed in the report.
  • Verify the existence of any of the artifacts noted in the report for incident response and threat hunting.
  • Verify the existence of any of the hashes on the host as detailed in the report.

Popular Tags

    More blogs on this topic