GoldMax

Malware updated a month ago (2024-11-29T14:19:17.307Z)
Download STIX
Preview STIX
GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. To avoid detection, the threat actor renamed their utilities to masquerade as legitimate system binaries, match the system’s role, or appear legitimate. A recent investigation by CrowdStrike revealed that GoldMax has a more extensive reach than previously thought, with a variant built for the Linux platform deployed in mid-2019. This discovery was made during StellarParticle-related investigations where two advanced malware families were found on victim systems from around mid-2019: a Linux variant of GoldMax and a completely new family referred to as TrailBlazer. Both these malware families were associated with the same group behind the infamous SolarWinds attack, tracked by Malwarebytes as APT29/Cozy Bear. This group is well-known for deploying novel tactics, techniques, and procedures (TTPs), including the use of covert malware such as TrailBlazer and GoldMax Linux backdoor variant, which allowed them to go unnoticed for years. GoldMax operates by using an encrypted session key to communicate with its command-and-control (C2) server. The C2 commands are represented as seemingly random alphanumerical ASCII strings that are unique to each implant but known to the C2 server, enabling the operator to download and execute files on the compromised system, upload files from the compromised system to the C2 server, execute OS commands on the compromised system, spawn a command shell, and dynamically update GoldMax’s configuration data. The malware's configuration data contains an execution activation/trigger date, serving as an "activate after x date/time" feature, and can be dynamically updated to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG.
Description last updated: 2024-05-05T04:26:07.827Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
TrailBlazer is a possible alias for GoldMax. Trailblazer is a sophisticated malware that was identified by CrowdStrike during StellarParticle-related investigations. The harmful program, designed to exploit and damage computers or devices, infiltrated victim systems around mid-2019. Two significant malware families were discovered: a Linux var
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Microsoft
Linux
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The TEARDROP Malware is associated with GoldMax. Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the Unspecified
2
The SUNBURST Malware is associated with GoldMax. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the userUnspecified
2
Source Document References
Information about the GoldMax Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more