S0588 GoldMax
GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.231
| Item | Value |
|---|---|
| ID | S0588 |
| Associated Names | SUNSHUTTLE |
| Type | MALWARE |
| Version | 2.1 |
| Created | 12 March 2021 |
| Last Modified | 27 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| SUNSHUTTLE | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.23 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | GoldMax can spawn a command shell, and execute native commands.23 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | GoldMax has decoded and decrypted the configuration file when executed.23 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | GoldMax has RSA-encrypted its communication with the C2 server.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | GoldMax can exfiltrate files over the existing C2 channel.23 |
| enterprise | T1105 | Ingress Tool Transfer | GoldMax can download and execute additional files.23 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | GoldMax has impersonated systems management software to avoid detection.2 |
| enterprise | T1036.005 | Match Legitimate Name or Location | GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.21 |
| enterprise | T1027 | Obfuscated Files or Information | GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.23 |
| enterprise | T1027.002 | Software Packing | GoldMax has been packed for obfuscation.3 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | The GoldMax Linux variant has used a crontab entry with a @reboot line to gain persistence.1 |
| enterprise | T1053.005 | Scheduled Task | GoldMax has used scheduled tasks to maintain persistence.2 |
| enterprise | T1016 | System Network Configuration Discovery | GoldMax retrieved a list of the system’s network interface after execution.2 |
| enterprise | T1124 | System Time Discovery | GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.23 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a.23 |
| enterprise | T1497.003 | Time Based Evasion | GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 245679108 |
References
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩↩↩
-
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. ↩↩↩↩↩↩↩↩↩↩↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩
-
Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. ↩
-
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. ↩
-
Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. ↩
-
Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. ↩
-
NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. ↩
-
UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. ↩