Gold Dupont

GOLD DUPONT is the Secureworks-designated threat group associated with operation of the RansomExx ransomware and described as active since 2018. Reporting in the provided content links the group to RansomExx intrusions affecting organizations in the United States, Canada, and Brazil, and notes that RansomExx was responsible for several high-profile attacks in 2020. The group is described as distributing RansomExx and using a toolset that includes Vatet loader, PyXie, Trickbot, RansomExx, and Cobalt Strike. In the observed intrusion chain described in the content, initial access began with a phishing email carrying a password-protected ZIP archive containing a malicious macro-enabled Word document. Enabling macros led to download of IcedID, which was executed via regsvr32.exe, used steganography with a downloaded PNG payload, and established persistence through a scheduled task. Follow-on activity included deployment of Cobalt Strike for command-and-control, machine reconnaissance, and lateral movement over SMB. A trojanized Notepad++ binary acting as Vatet loader decrypted and executed payloads from config.dat files, including payloads used for information gathering via Pyxie, LaZagne, and Mimikatz, and ultimately for RansomExx deployment. Trend Micro reported the progression from initial access to ransomware deployment took about five hours. The content also describes newer RansomExx variants for Linux servers. A Linux RansomExx sample was analyzed as a 64-bit ELF executable using the mbedtls library for multi-threaded encryption, with no observed network activity or anti-analysis behavior. The Linux variant is described as targeting VMware-related environments, particularly systems serving as storage for VMware files, and requiring a target directory argument to begin recursive encryption and ransom note creation. Known alias in the provided content: gold_dupont.