1. Home
  2. Software
  3. GoldMax

GoldMax

GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[1][2][3]

ID: S0588
Associated Software: SUNSHUTTLE
Type: MALWARE
Platforms: Windows, Linux
Version: 2.3
Created: 12 March 2021
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
SUNSHUTTLE

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .004 伪装: Masquerade Task or Service

GoldMax has impersonated systems management software to avoid detection.[1]
.005 伪装: Match Legitimate Name or Location

GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.[1][3]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

GoldMax has RSA-encrypted its communication with the C2 server.[1]
Enterprise T1140 反混淆/解码文件或信息

GoldMax has decoded and decrypted the configuration file when executed.[1][2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

GoldMax can spawn a command shell, and execute native commands.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.[1][2]
Enterprise T1001 .001 数据混淆: Junk Data

GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.[1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

GoldMax has been packed for obfuscation.[2]
.013 混淆文件或信息: Encrypted/Encoded File

GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.[1][2]
Enterprise T1124 系统时间发现

GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.[1][2]

Enterprise T1016 系统网络配置发现

GoldMax retrieved a list of the system's network interface after execution.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a.[1][2]
.003 虚拟化/沙盒规避: Time Based Evasion

GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.[1]
Enterprise T1105 输入工具传输

GoldMax can download and execute additional files.[1][2]
Enterprise T1041 通过C2信道渗出

GoldMax can exfiltrate files over the existing C2 channel.[1][2]
Enterprise T1564 .011 隐藏伪装: Ignore Process Interrupts

The GoldMax Linux variant has been executed with the nohup command to ignore hangup signals and continue to run if the terminal session was terminated.[3]
Enterprise T1053 .003 预定任务/作业: Cron

The GoldMax Linux variant has used a crontab entry with a @reboot line to gain persistence.[3]
.005 预定任务/作业: Scheduled Task

GoldMax has used scheduled tasks to maintain persistence.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][4][5][6][7][8][9][10]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[1]

References

  1. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  2. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  3. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  4. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  5. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  1. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  2. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  3. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  4. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  5. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.