GoldMax Malware

The attack against the SolarWinds software vendor was one of the big news in the world of cybersecurity near the end of 2020, undoubtedly. Since then, anti-virus vendors and cybersecurity companies around the world have been digging into the details about the attack, trying to learn more about the malware used, as well as the probable perpetrator of the attack. According to major names in the cybersecurity field, the criminals responsible for these attacks are known under the aliases Solarigate, or Nobelium APT. In addition to the malware used in the SolarWinds campaign, these criminals also employ several other malware projects that were used in different campaigns. One of these projects is known as GoldMax, and it is a threatening Trojan backdoor that was employed in attacks against US-based government and technical entities.

The GoldMax Malware, also referred to as Sunshuttle, is written in the Google Go programming language – recently, there has been a spike in the number of malware projects using the Go language in particular. GoldMax's primary features allow it to gain persistence on the compromised system, retrieve commands to execute, and transfer files between the victim's computer and the Command-and-Control server.

One of GoldMax's interesting quirks is the method it uses to hide the noisy traffic it generates. The implant works with a large number of pre-made referrer links used by major sites like Yahoo, Facebook, Google, Bing and others. This simple trick keeps GoldMax Malware's traffic appear normal and not out-of-place.

The GoldMax Malware was usually employed as a second-stage payload that was delivered via another dropper/loader used by the Nobelium APT hackers. Companies can protect themselves from backdoor Trojans of this sort by investing in reputable anti-virus software, and inspecting their network security measures regularly.