Ethical Hacking News
A sophisticated malware campaign, known as the Gold Melody IAB, has been discovered, utilizing exposed ASP.NET machine keys to gain unauthorized access to targeted organizations. The campaign, attributed to the Prophet Spider group, has been tracked by Palo Alto Networks Unit 42 and involves the use of leaked machine keys for ViewState code injection attacks, ultimately leading to arbitrary code execution.
The Gold Melody IAB has been linked to the Prophet Spider group and is exploiting leaked ASP.NET machine keys for ViewState code injection attacks. The campaign uses exposed machine keys to deliver malicious payloads directly into server memory, posing a significant threat to organizations worldwide. The attack relies on a single, stateless assembly loaded into memory, highlighting the need for organizations to prioritize identifying and remediating compromised machine keys. The Gold Melody IAB has primarily focused on exploiting systems, deploying modules, and performing basic shell reconnaissance between October 2024 and January 2025. Organizations must take proactive measures to strengthen their ASP.NET applications' security posture and implement robust incident response strategies to mitigate similar attacks in the future.
In recent months, a significant spike in malicious activity has been detected, with various security experts and researchers attributing it to the Gold Melody IAB, an Initial Access Broker (IAB) known to exploit leaked ASP.NET machine keys. The campaign, monitored by Palo Alto Networks Unit 42, has been linked to the Prophet Spider group and involves the use of exposed machine keys for ViewState code injection attacks.
The first sign of these attacks was detected by Microsoft in December 2024, when an unknown adversary leveraged a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. Since then, various organizations have been targeted, with the Gold Melody IAB using leaked machine keys to execute malicious payloads directly in server memory.
The campaign's approach is notable for its simplicity, as it utilizes a single, stateless assembly directly loaded into memory. Each command execution requires re-exploitation and re-uploading of the assembly, highlighting the need for organizations to prioritize identifying and remediating compromised machine keys. The use of exposed machine keys also underscores broader categories of cryptographic key exposure threats, including weak machineKey generation policies, missing MAC validation, and insecure defaults in older ASP.NET applications.
The Gold Melody IAB's activities have primarily focused on exploiting systems, deploying modules, and performing basic shell reconnaissance between October 2024 and January 2025. Post-exploitation activity has primarily involved reconnaissance of the compromised host and surrounding network. Some notable tools downloaded onto the systems include an ELF binary named atm from an external server ("195.123.240[.]233:443") and a Golang port scanner called TXPortMap to map out the internal network and identify potential exploitation targets.
The campaign's use of ysoserial.net and ViewState plugin to build payloads is also noteworthy, as these payloads bypass ViewState protections and trigger the execution of a .NET assembly in memory. Five different IIS modules have been identified as loaded into memory so far – including Cmd /c, file upload, Winner, file download (not recovered), and Reflective loader (not recovered). Each of these modules is used to execute arbitrary instructions on the server.
The Gold Melody IAB's targeting has primarily focused on organizations in various industries, including financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics. The group's opportunistic approach and ongoing tool development highlight the need for organizations to prioritize identifying and remediating compromised machine keys.
The broader category of cryptographic key exposure threats highlighted by this campaign underscores the importance of expanding internal threat models to include cryptographic integrity risks, ViewState MAC tampering, and IIS middleware abuse. Organizations must take proactive measures to strengthen their ASP.NET applications' security posture and implement robust incident response strategies to mitigate such attacks.
In conclusion, the Gold Melody IAB's sophisticated approach to exploiting exposed ASP.NET machine keys poses a significant threat to organizations worldwide. As more sensitive data is stored in these applications, it is crucial for enterprises to prioritize identifying and remediating compromised machine keys and implement effective security measures to prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Gold-Melody-IAB-A-Sophisticated-Malware-Campaign-Exposes-ASPNET-Machine-Keys-for-Unauthorized-Access-ehn.shtml
https://thehackernews.com/2025/07/gold-melody-iab-exploits-exposed-aspnet.html
Published: Wed Jul 9 14:28:03 2025 by llama3.2 3B Q4_K_M
