GoldMax

Malware Profile Updated a month ago
Download STIX
Preview STIX
GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. To avoid detection, the threat actor renamed their utilities to masquerade as legitimate system binaries, match the system’s role, or appear legitimate. A recent investigation by CrowdStrike revealed that GoldMax has a more extensive reach than previously thought, with a variant built for the Linux platform deployed in mid-2019. This discovery was made during StellarParticle-related investigations where two advanced malware families were found on victim systems from around mid-2019: a Linux variant of GoldMax and a completely new family referred to as TrailBlazer. Both these malware families were associated with the same group behind the infamous SolarWinds attack, tracked by Malwarebytes as APT29/Cozy Bear. This group is well-known for deploying novel tactics, techniques, and procedures (TTPs), including the use of covert malware such as TrailBlazer and GoldMax Linux backdoor variant, which allowed them to go unnoticed for years. GoldMax operates by using an encrypted session key to communicate with its command-and-control (C2) server. The C2 commands are represented as seemingly random alphanumerical ASCII strings that are unique to each implant but known to the C2 server, enabling the operator to download and execute files on the compromised system, upload files from the compromised system to the C2 server, execute OS commands on the compromised system, spawn a command shell, and dynamically update GoldMax’s configuration data. The malware's configuration data contains an execution activation/trigger date, serving as an "activate after x date/time" feature, and can be dynamically updated to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG.
What's your take? (Question 1 of 5)
5b341717-c21e-4598-aad7-78588e340ceb Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TrailBlazer
2
Trailblazer is a sophisticated malware that was identified by CrowdStrike during StellarParticle-related investigations. The harmful program, designed to exploit and damage computers or devices, infiltrated victim systems around mid-2019. Two significant malware families were discovered: a Linux var
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Microsoft
Linux
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TEARDROPUnspecified
2
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
SUNBURSTUnspecified
2
Sunburst is a sophisticated malware that infiltrated SolarWinds' Orion platform, causing significant cybersecurity concerns. The malware was linked to Kazuar due to code resemblance, indicating its high level of complexity. The Sunburst campaign was exposed in December 2020 by cybersecurity firm Fir
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the GoldMax Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security Blog
MITRE
a year ago
StellarParticle Campaign: Novel Tactics and Techniques | CrowdStrike
MITRE
a year ago
New sophisticated email-based attack from NOBELIUM - Microsoft Security Blog
MITRE
a year ago
Tomiris backdoor and its connection to Sunshuttle and Kazuar
Malwarebytes
10 months ago
Microsoft Teams used in phishing campaign to bypass multi-factor authentication
CERT-EU
10 months ago
Microsoft Teams Users Targeted by Russian Threat Group