Saturday, April 13, 2024

GoldMax, GoldFinder, and Sibot, are the 3 new Malwares Used by SolarWinds Hackers

Microsoft continues its analysis and work with partners and customers to gather more information about the threat actor behind Solarwinds supply chain act that compromised SolarWinds and impacted multiple other organizations.

More than 18000 customers, including US government agencies, were believed to be affected by this massive attack. As a result, Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP, which are:

  1. GoldMax
  2. Sibot
  3. GoldFinder


This GoldMax malware was identified to be sticking on networks as a scheduled task impersonating systems management software.

The scheduled task was named after the software that existed in the environment. It pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant.

The malware writes an encrypted configuration file to disk, while the configuration data is encrypted using the AES-256 encryption algorithm, CFB encryption mode, and the following cipher key: “4naehrkz5alao2jd035zjh3j1v1dvyyc” (key varies in different versions of GoldMax).

The AES encrypted configuration data is Base64-encoded using the custom Base64 alphabet “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_” before it is stored in the configuration file on the file system.

When run, GoldMax decodes (Base64) and decrypts (AES-256) the configuration data to reveal a custom data structure comprised of the following dynamically generated and hardcoded values (delimited by ‘|’)


Sibot is a two-way purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine. It downloads and executes a payload from a remote C2 server.

The VBScript file is given a name that impersonates legitimate Windows tasks and is stored either in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.

There are three variants of Sibot:

  • Variant A only installs the second-stage script in the default registry value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot.
  •  Variant B registers a scheduled task named Sibot and programmed to run daily. This task, C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\sibot, runs the following command-line daily:
  • Variant C is a standalone version of the second-stage script. The second-stage script from Variant A is designed to be executed from the registry, this variant is designed to run from a file.


GoldFinder is a custom HTTP tracer tool which logs the route or hops that a packet takes to reach a hardcoded C2 server.

When launched, the malware sends an HTTP request for a hardcoded IP address and logs the HTTP response to a plaintext log file.

GoldFinder uses the following hardcoded labels to store the request and response information in the log file:

  • Target: The C2 URL
  • StatusCode: HTTP response/status code
  • Headers: HTTP response headers and their values
  • Data: Data from the HTTP response received from the C2

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

SolarWinds Hack – Multiple Similarities Found Between Sunburst Backdoor and Turla’s Backdoor

DOJ Says SolarWinds Hackers Accessed 3% of it’s Office 365 Mailboxes

New Malware Discovered in SolarWinds Attack that Used 7-Zip Code to Hide


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles