GOLD KINGSWOOD

Gold Kingswood is an advanced persistent cybercrime group that has been successfully targeting financial organizations since at least 2016. The group is highly sophisticated, financially motivated, and uses a tool called SpicyOmelette during initial exploitation of an organization. Once installed, SpicyOmelette provides an ideal foothold onto a targeted system for Gold Kingswood to steal account credentials, survey and evaluate the compromised environment, identify desirable systems, and deploy malware specifically designed to target those systems. Despite the arrests of suspected Gold Kingswood operators in March 2018, the threat group's campaigns continued, likely due to its vast network of resources. The access provided by SpicyOmelette and other post-compromise tools regularly used by Gold Kingswood helps the threat actors escalate privileges on a system and compromise targets more efficiently. CTU analysis of one of Gold Kingswood's campaigns using SpicyOmelette exposed additional sophisticated methods to compromise targets. Overall, Gold Kingswood is a highly capable and sophisticated criminal threat group that poses a significant risk to financial organizations. Organizations should be aware of the threat posed by Gold Kingswood, take steps to secure their systems, and ensure that their employees are aware of this threat. It is also essential to have robust incident response plans in place to respond effectively to any potential security incidents involving Gold Kingswood.