GoldFinder

GoldFinder is a malware, a harmful software designed to exploit and damage computer systems. It was compiled using Go 1.14.2 in April 2020 from a Go file named finder.go with the path: /tmp/finder.go. This malicious program can infect your system through suspicious downloads, emails, or websites, often without your knowledge. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. Upon activation, GoldFinder identifies all HTTP proxy servers and other redirectors such as network security devices that an HTTP request travels through inside and outside the network to reach the intended C2 server. If a Location header is present in the response and the Location value starts with the string “http”, GoldFinder extracts the Location URL (i.e., redirect URL) and issues a new HTTP GET request for the redirect URL. If the response is not an HTTP 200 (OK) response and contains an HTTP Location field (indicating a redirect), GoldFinder recursively follows and logs the redirects until it receives an HTTP 200 response, at which point it terminates. GoldFinder's functionality can be exploited by actors on a compromised device to identify potential points of discovery or logging of their other actions, such as C2 communication with GoldMax. When GoldFinder receives an HTTP 200 status code in response to the above-mentioned process, indicating no more redirects, it terminates its operation. The malware uses hardcoded labels to store the request and response information in a log file, providing a detailed record of its activities.