What's the story?

A number of security vendors reported a series of cyberattacks involving the use of a malware family called SOCKSBOT and claimed to be associated with CANDLEFISH (also known as Patchwork, Dropping Elephant). However, as disclosed in our report, research by Accenture Security iDefense analysts shows that SOCKSBOT was used by a threat group in an 18-month-long campaign dubbed Goldfin, spoofing financial institutions in the Commonwealth of Independent States (CIS) countries since as early as February 2017 to as recently as May 2018. Based on the tactics, techniques and procedures (TTPs) observed in this campaign, iDefense assesses with moderate confidence that the reported campaign is unlikely to be associated with CANDLEFISH.

In addition, iDefense analysts have identified infrastructure overlap and the shared use of a PowerShell obfuscation technique with FIN7. Although these observations are not enough to attribute the Goldfin campaign to FIN7, iDefense assesses these to be interesting and noteworthy observations that further highlight the complex relationships that exist behind-the-scenes in organized cybercrime.

Download the report [PDF].

What does it mean?

The report identifies the modus operandi of a highly active threat group that is targeting financial institutions for financial gain. Security operation center (SOC) analysts and engineers can use this report's detailed information around the workings of a malware family and indicators of compromise (IoCs) to contain or mitigate the discussed threat through monitoring or blocking. SOC analysts can use the information provided in the analysis and mitigation sections of this cyber advisory report for hunting activities for systems that may have been compromised already. Analysts and security engineers can use the IoCs by adding them to hunting lists on endpoint detection and response (EDR) solutions as well as network- and host-based blacklists to detect and deny malware implantation and command-and-control (C2) communication. Intelligence analysts may want to use the information provided in this cyber advisory report to better inform their own analyses. The information provided can also help inform ongoing intelligence analyses and forensic investigations, particularly for compromise discovery, damage assessment, and attribution. Management and executive leadership may wish to assess the risks associated with the threats described to make the appropriate operational and policy decisions.

What can you do?

To effectively defend against the threats identified in this report, we recommend:

  • Block the access URLs and IP addresses listed in the report.
  • Verify the existence of any of the artifacts noted in the report for incident response and threat hunting.
  • Verify the existence of any of the hashes on the host as detailed in the report.


Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks

Joshua Ray

Managing Director – Accenture Security

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog