{"description": "Enterprise techniques used by GoldMax, ATT&CK software S0588 (v2.3)", "name": "GoldMax (S0588)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) can spawn a command shell, and execute native commands.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.001", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has used decoy traffic to surround its malicious network traffic to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has decoded and decrypted the configuration file when executed.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has RSA-encrypted its communication with the C2 server.(Citation: MSTIC NOBELIUM Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) can exfiltrate files over the existing C2 channel.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.011", "comment": "The [GoldMax](https://attack.mitre.org/software/S0588) Linux variant has been executed with the `nohup` command to ignore hangup signals and continue to run if the terminal session was terminated.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) can download and execute additional files.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has impersonated systems management software to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has been packed for obfuscation.(Citation: FireEye SUNSHUTTLE Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has written AES-encrypted and Base64-encoded configuration files to disk.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.003", "comment": "The [GoldMax](https://attack.mitre.org/software/S0588) Linux variant has used a crontab entry with a @reboot line to gain persistence.(Citation: CrowdStrike StellarParticle January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has used scheduled tasks to maintain persistence.(Citation: MSTIC NOBELIUM Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) retrieved a list of the system's network interface after execution.(Citation: MSTIC NOBELIUM Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[GoldMax](https://attack.mitre.org/software/S0588) has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.(Citation: MSTIC NOBELIUM Mar 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by GoldMax", "color": "#66b1ff"}]}