GOLD GILBERT

GOLD GILBERT is the name used by the CTU to characterize a series of intrusions in 2014 focused on billing and illegitimate fraud payment transfers. Links to other open source reporting identifies this group as involved in classic '419 scams', and in 2014/15 CTU researchers assessed with moderate confidence that the group was based out of Nigeria.

Campaigns were characterized by spear phishing being used to install the DarkComet and Netwire RATs. The group has used commercially available loaders/decoders, such as the AutoIT-based DataScrambler, to enable these RATs to evade AV detection. GOLD GILBERT appears to concentrate on targeting purchasing staff when identified, and uses forged invoices and access to legitimate email accounts to conduct fraud.