GoldMax
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| SUNSHUTTLE | (Citation: FireEye SUNSHUTTLE Mar 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
GoldMax can spawn a command shell, and execute native commands.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) |
| Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
GoldMax has RSA-encrypted its communication with the C2 server.(Citation: MSTIC NOBELIUM Mar 2021) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
GoldMax has impersonated systems management software to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021) |
| .005 | Masquerading: Match Legitimate Name or Location |
GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike StellarParticle January 2022) |
||
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
GoldMax has been packed for obfuscation.(Citation: FireEye SUNSHUTTLE Mar 2021) |
| Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
The GoldMax Linux variant has used a crontab entry with a |
| .005 | Scheduled Task/Job: Scheduled Task |
GoldMax has used scheduled tasks to maintain persistence.(Citation: MSTIC NOBELIUM Mar 2021) |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to |
| .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.(Citation: MSTIC NOBELIUM Mar 2021) |
||
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0016 | APT29 |
(Citation: MSTIC NOBELIUM Mar 2021) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: MSTIC NOBELIUM May 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) |
| G0118 | UNC2452 |
(Citation: MSTIC NOBELIUM Mar 2021) |
References
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
- NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
- Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.