VERY IMPORTANT

A number of security vendors reported a series of cyber-attacks involving the use of a malware family called SOCKSBOT and claimed to be associated with CANDLEFISH (a.k.a. Patchwork, Dropping Elephant). However, as disclosed in this report, research by iDefense analysts shows that SOCKSBOT was in fact used by a threat group in an 18- month-long campaign dubbed Goldfin, spoofing financial institutions in the Commonwealth of Independent States (CIS) countries since as early as February 2017 to as recently as May 2018. Based on the tactics, techniques and procedures (TTPs) observed in this campaign, iDefense assesses with moderate confidence that the reported campaign is unlikely to be associated with CANDLEFISH.