GoldMax

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. To avoid detection, the threat actor renamed their utilities to masquerade as legitimate system binaries, match the system’s role, or appear legitimate. A recent investigation by CrowdStrike revealed that GoldMax has a more extensive reach than previously thought, with a variant built for the Linux platform deployed in mid-2019. This discovery was made during StellarParticle-related investigations where two advanced malware families were found on victim systems from around mid-2019: a Linux variant of GoldMax and a completely new family referred to as TrailBlazer. Both these malware families were associated with the same group behind the infamous SolarWinds attack, tracked by Malwarebytes as APT29/Cozy Bear. This group is well-known for deploying novel tactics, techniques, and procedures (TTPs), including the use of covert malware such as TrailBlazer and GoldMax Linux backdoor variant, which allowed them to go unnoticed for years. GoldMax operates by using an encrypted session key to communicate with its command-and-control (C2) server. The C2 commands are represented as seemingly random alphanumerical ASCII strings that are unique to each implant but known to the C2 server, enabling the operator to download and execute files on the compromised system, upload files from the compromised system to the C2 server, execute OS commands on the compromised system, spawn a command shell, and dynamically update GoldMax’s configuration data. The malware's configuration data contains an execution activation/trigger date, serving as an "activate after x date/time" feature, and can be dynamically updated to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
TrailBlazer	2	Trailblazer is a sophisticated malware that was identified by CrowdStrike during StellarParticle-related investigations. The harmful program, designed to exploit and damage computers or devices, infiltrated victim systems around mid-2019. Two significant malware families were discovered: a Linux var

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Linux

Microsoft

Encryption

Decoy

Exploit

Malwarebytes

Encrypt

Implant

Crowdstrike

Windows

exploitation

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
SUNBURST	Unspecified	2	Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
TEARDROP	Unspecified	2	Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
Linux Variant of Goldmax	Unspecified	1	The Linux variant of GoldMax is a malicious software (malware) that poses significant threats to computer systems. This malware, designed to exploit and damage your device, can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once it gains
Adobe Utility	Unspecified	1	None
Sunshuttle	Unspecified	1	Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connect
svchost.exe	Unspecified	1	Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di
GoldFinder	Unspecified	1	GoldFinder is a malware, a harmful software designed to exploit and damage computer systems. It was compiled using Go 1.14.2 in April 2020 from a Go file named finder.go with the path: /tmp/finder.go. This malicious program can infect your system through suspicious downloads, emails, or websites, of

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
NOBELIUM	Unspecified	1	Nobelium, a threat actor linked to Russia's SVR, has been actively targeting French diplomatic entities as part of its cyber-espionage activities. The Advanced Persistent Threat (APT) group has utilized sophisticated techniques such as phishing and attempts to install Cobalt Strike, an advanced malw
StellarParticle	Unspecified	1	StellarParticle, a threat actor associated with the COZY BEAR adversary group, has been identified as a significant cybersecurity risk by CrowdStrike. StellarParticle is known for its extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and it has

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the GoldMax Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Malwarebytes	a year ago	Microsoft Teams used in phishing campaign to bypass multi-factor authentication
CERT-EU	a year ago	Microsoft Teams Users Targeted by Russian Threat Group
MITRE	a year ago	StellarParticle Campaign: Novel Tactics and Techniques \| CrowdStrike
MITRE	a year ago	New sophisticated email-based attack from NOBELIUM - Microsoft Security Blog
MITRE	a year ago	GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security Blog
MITRE	a year ago	Tomiris backdoor and its connection to Sunshuttle and Kazuar