Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

GoldMax

GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)
ID: S0588
Associated Software: SUNSHUTTLE
Type: MALWARE
Platforms: Windows
Version: 2.3
Created: 12 Mar 2021
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
SUNSHUTTLE (Citation: FireEye SUNSHUTTLE Mar 2021)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

GoldMax can spawn a command shell, and execute native commands.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)

Enterprise T1001 .001 Data Obfuscation: Junk Data

GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

GoldMax has RSA-encrypted its communication with the C2 server.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1564 .011 Hide Artifacts: Ignore Process Interrupts

The GoldMax Linux variant has been executed with the `nohup` command to ignore hangup signals and continue to run if the terminal session was terminated.(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

GoldMax has impersonated systems management software to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021)

.005 Masquerading: Match Legitimate Name or Location

GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

GoldMax has been packed for obfuscation.(Citation: FireEye SUNSHUTTLE Mar 2021)

.013 Obfuscated Files or Information: Encrypted/Encoded File

GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)

Enterprise T1053 .003 Scheduled Task/Job: Cron

The GoldMax Linux variant has used a crontab entry with a @reboot line to gain persistence.(Citation: CrowdStrike StellarParticle January 2022)

.005 Scheduled Task/Job: Scheduled Task

GoldMax has used scheduled tasks to maintain persistence.(Citation: MSTIC NOBELIUM Mar 2021)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)

.003 Virtualization/Sandbox Evasion: Time Based Evasion

GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.(Citation: MSTIC NOBELIUM Mar 2021)

Groups That Use This Software

ID Name References

(Citation: MSTIC NOBELIUM Mar 2021)

G0016 APT29

(Citation: MSTIC NOBELIUM Mar 2021) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: MSTIC NOBELIUM May 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile)

G0118 UNC2452

(Citation: MSTIC NOBELIUM Mar 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.