ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool GoldMax

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: GoldMax

NamesGoldMax
SUNSHUTTLE
CategoryMalware
TypeBackdoor
Description(Microsoft) The GoldMax malware was discovered persisting on networks as a scheduled task impersonating systems management software. In the instances it was encountered, the scheduled task was named after software that existed in the environment, and pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant.

Written in Go, GoldMax acts as command-and-control backdoor for the actor. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.
Information<https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/>
<https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html>
<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a>
<https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax>

Last change to this tool card: 24 April 2021

Download this tool card in JSON format

All groups using tool GoldMax

ChangedNameCountryObserved

APT groups

 APT 29, Cozy Bear, The DukesRussia2008-Jul 2021 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key