GoldMax

Malware updated 7 months ago (2024-05-05T05:17:56.702Z)

Download STIX

Preview STIX

GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. To avoid detection, the threat actor renamed their utilities to masquerade as legitimate system binaries, match the system’s role, or appear legitimate. A recent investigation by CrowdStrike revealed that GoldMax has a more extensive reach than previously thought, with a variant built for the Linux platform deployed in mid-2019. This discovery was made during StellarParticle-related investigations where two advanced malware families were found on victim systems from around mid-2019: a Linux variant of GoldMax and a completely new family referred to as TrailBlazer. Both these malware families were associated with the same group behind the infamous SolarWinds attack, tracked by Malwarebytes as APT29/Cozy Bear. This group is well-known for deploying novel tactics, techniques, and procedures (TTPs), including the use of covert malware such as TrailBlazer and GoldMax Linux backdoor variant, which allowed them to go unnoticed for years. GoldMax operates by using an encrypted session key to communicate with its command-and-control (C2) server. The C2 commands are represented as seemingly random alphanumerical ASCII strings that are unique to each implant but known to the C2 server, enabling the operator to download and execute files on the compromised system, upload files from the compromised system to the C2 server, execute OS commands on the compromised system, spawn a command shell, and dynamically update GoldMax’s configuration data. The malware's configuration data contains an execution activation/trigger date, serving as an "activate after x date/time" feature, and can be dynamically updated to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG.

Description last updated: 2024-05-05T04:26:07.827Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
TrailBlazer is a possible alias for GoldMax. Trailblazer is a sophisticated malware that was identified by CrowdStrike during StellarParticle-related investigations. The harmful program, designed to exploit and damage computers or devices, infiltrated victim systems around mid-2019. Two significant malware families were discovered: a Linux var	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Microsoft

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The TEARDROP Malware is associated with GoldMax. Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the	Unspecified	2
The SUNBURST Malware is associated with GoldMax. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user	Unspecified	2

Source Document References

Information about the GoldMax Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	a year ago	Microsoft Teams used in phishing campaign to bypass multi-factor authentication
CERT-EU	a year ago	Microsoft Teams Users Targeted by Russian Threat Group
MITRE	2 years ago	StellarParticle Campaign: Novel Tactics and Techniques \| CrowdStrike
MITRE	2 years ago	New sophisticated email-based attack from NOBELIUM - Microsoft Security Blog
MITRE	2 years ago	GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security Blog
MITRE	2 years ago	Tomiris backdoor and its connection to Sunshuttle and Kazuar