ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool GoldMax

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: GoldMax

NamesGoldMax
SUNSHUTTLE
CategoryMalware
TypeBackdoor
Description(Microsoft) The GoldMax malware was discovered persisting on networks as a scheduled task impersonating systems management software. In the instances it was encountered, the scheduled task was named after software that existed in the environment, and pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant.

Written in Go, GoldMax acts as command-and-control backdoor for the actor. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.
Information<https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/>
<https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html>
<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a>
<https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/>
<https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/>
MITRE ATT&CK<https://attack.mitre.org/software/S0588/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax>

Last change to this tool card: 30 December 2022

Download this tool card in JSON format

Previous: GoldFinder
Next: GoldPickaxe

All groups using tool GoldMax

ChangedNameCountryObserved

APT groups

XAPT 29, Cozy Bear, The DukesRussia2008-Jun 2024X

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]