Figure 1. HardwareAddr.String() call, hardcoded MAC address, and os.Exit() call
Figure 2. Data structure of the GoldMax configuration data
GoldMax proceeds to parse the data structure depicted above and uses the values within to initialize its runtime settings and variables used by its different components. If the configuration file is not present on the system, (i.e., the first time it runs), GoldMax uses dynamically generated and embedded values to create and populate the data structure depicted above. It then uses the same AES encryption methodology to encrypt the data structure. After encrypting the data structure, GoldMax proceeds to Base64 encode the encrypted data structure and removes all instances of ‘=’ from the Base64 encoded string. It then creates a configuration file on the file system (e.g., features.dat.tmp) and stores the Base64 encoded data in the configuration file.
Figure 3. Inline Unix() function and EPOCH comparison of the current and activation date/time
If an activation date-time value is specified in the configuration data (i.e., not set to ‘0’) and the activation date-time occurs on or before the current date-time of the compromised system, GoldMax commences its malicious activities. Otherwise, GoldMax terminates and continues to do so until the activation date is reached. If no activation date is specified in the configuration data (i.e., field set to ‘0’), the malware commences its malicious activities straightaway. In all versions of GoldMax analyzed during our investigation, the activation date is initially set to ‘0’. However, through its command-and-control feature, the operators can dynamically update the activation date using a specific C2 command, in which case the new activation date is stored in the configuration file and is checked each time GoldMax runs.
Figure 4. Hardcoded URLs from which GoldMax selects up to four to issue HTTP requests for
As shown above, some of the decoy URLs point to the domain name of the actual C2 (e.g., onetechcompany[.]com). However, the particular HTTP resources referenced in the URLs above (e.g., style.css, script.js, icon.ico, etc.) are known to the C2 as being decoy resources that serve no role in the regular C2 communication between GoldMax and its C2. The Referer value for each decoy HTTP request is also pseudo-randomly selected from a list of four legitimate domain names. For example, we have seen the following in various combinations to make up lists of four domains: www[.]mail[.]com, www[.]bing[.]com, www[.]facebook[.]com, www[.]google[.]com, www[.]twitter[.]com, www[.]yahoo[.]com, etc. For demonstration purposes, an example decoy HTTP GET request is included below (the Connection and User-Agent HTTP headers and their values are manually added to each request by GoldMax and remain the same across all decoy HTTP requests, regardless of the destination URL):
Figure 5. Sample decoy HTTP GET request
Figure 6. HTTP Cookie value in HTTP GET request
An example request containing the custom Cookie value is shown below:
Figure 7. Sample HTTP GET request with the custom Cookie value
The User-Agent and Connection values above are hardcoded in the HTTP request. The Referer value is pseudo-randomly selected from a list of four legitimate domain names using various combinations of the following: www[.]mail[.]com, www[.]bing[.]com, www[.]facebook[.]com, www[.]google[.]com, www[.]twitter[.]com, www[.]yahoo[.]com, etc. In response to the request above, GoldMax expects to receive an HTTP 200 response containing a very specific and hardcoded ASCII string (e.g., “uFLa12nFmKkjrmjj”). The seemingly random-looking string is typically 10-16 bytes long (after all leading and trailing white space has been removed). It can best be described as a “shared secret” between the C2 and each individual implant (the string varies in different versions of GoldMax). It serves as an acknowledgement that the C2 server has received GoldMax’s request for a new a session key. If GoldMax does not receive the expected string, it sleeps for a random amount of time and repeats (indefinitely) the process described above to obtain the expected string from its C2 server, or until the GoldMax process is terminated. After receiving the expected string, GoldMax sleeps for up to 14 seconds before proceeding. If the decoy traffic option is enabled in the configuration data, GoldMax issues a pseudo-random number of HTTP GET requests (as described under the decoy network traffic section above). GoldMax then issues a new HTTP GET request to its C2 server containing a new set of hardcoded Cookie values.
Figure 8. Sample HTTP GET request showing hardcoded Cookie values
The only observed difference between the first and second HTTP GET requests is the value of the second Cookie highlighted above (example values: iC0Pf2a48 from the first request vs. J4yeUYKyeuNa2 from the second request above). In response to the request, GoldMax receives an encrypted RSA session key (Base64-encoded). Each version of GoldMax contains an RSA private key which GoldMax proceeds to decode (using pem.Decode()) and parse (using x509.ParsePKCS1PrivateKey()). GoldMax uses rsa.DecryptOAEP() with the parsed private key to decrypt (using RSA-OAEP) the RSA-encrypted session key received from its C2 server. From this point on, the session key is used to encrypt data sent between GoldMax and its C2 server.
Figure 9. Sample HTTP GET request containing a single Cookie value
In response to the request above, GoldMax receives an encrypted (AES-256) and encoded (Base64 using custom Base64 alphabet) C2 command. The command is encrypted using the session key established between GoldMax and its C2 server. After decoding and decrypting the C2 command, GoldMax proceeds to parse the C2 command. C2 commands are represented as seemingly random alphanumerical ASCII strings (e.g., “KbwUQrcooAntqNMddu4XRj”) that are unique to each implant but known to the C2 server. The C2 commands allow the operator to download and execute files on the compromised system, upload files from the compromised system to the C2 server, execute OS commands on the compromised system, spawn a command shell, and dynamically update GoldMax’s configuration data. These dynamic updates to Goldmax configuration data enable ability to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG. It is worth noting that all observed versions of GoldMax were compiled with the Go compiler version 1.14.2 (released in April 2020). In all observed versions, the main Go source code file for GoldMax was located under the following directory: /var/www/html/builds/. The Go packages and libraries used during the compilation process of GoldMax were mostly located under the /var/www/html/go/src/ directory (e.g., /var/www/html/go/src/net/http/http.go).
The registry key referenced in this command-line contains the second-stage script.
Figure 10. Sibot variants
Python encoded = '<ENCODED STRING' decoded = '' i = 0 while i < len(encoded): a = int(chr(ord(encoded[i]) - 17)) i += 1 b = int(chr(ord(encoded[i]) - 17)) if a * 10 + b < 32: i += 1 c = int(chr(ord(encoded[i]) - 17)) decoded += chr(a * 100 + b * 10 + c) else: decoded += chr(a * 10 + b) i += 1 print(decoded)
Figure 11. Sample log entry
If the response is not an HTTP 200 (OK) response and contains an HTTP Location field (indicating a redirect), GoldFinder recursively follows and logs the redirects until it receives an HTTP 200 response, at which point it terminates. If a Location header is present in the response and the Location value starts with the string “http”, GoldFinder extracts the Location URL (i.e., redirect URL) and issues a new HTTP GET request for the redirect URL. It again logs the request and its response in the plaintext log file:
Figure 12. Sample log file
If GoldFinder receives an HTTP 200 status code in response to the request above, indicating no more redirects, it terminates. Otherwise, it recursively follows the redirect up to 99 times or until it receives an HTTP 200 response, whichever occurs first. When launched, GoldFinder can identify all HTTP proxy servers and other redirectors such as network security devices that an HTTP request travels through inside and outside the network to reach the intended C2 server. When used on a compromised device, GoldFinder can be used to inform the actor of potential points of discovery or logging of their other actions, such as C2 communication with GoldMax. GoldFinder was compiled using Go 1.14.2, released in April 2020, from a Go file named finder.go with the following path: /tmp/finder.go. The Go packages and libraries used during the compilation process of GoldFinder were mostly located under the /var/www/html/go/src/ directory (e.g., /var/www/html/go/src/net/http/http.go). 
Figure 13. Security recommendations in threat and vulnerability management
Detections of new malware by Microsoft Defender Antivirus are reported as alerts in Microsoft Defender Security Center. Additionally, endpoint detection and response capabilities in Microsoft Defender for Endpoint detect malicious behavior related to these NOBELIUM components, which are surfaced as alerts with the following titles:| Type | Threat name | Indicator |
| SHA-256 | GoldMax | 70d93035b0693b0e4ef65eb7f8529e6385d698759cc5b8666a394b2136cc06eb |
| SHA-256 | GoldMax | 0e1f9d4d0884c68ec25dec355140ea1bab434f5ea0f86f2aade34178ff3a7d91 |
| SHA-256 | GoldMax | 247a733048b6d5361162957f53910ad6653cdef128eb5c87c46f14e7e3e46983 |
| SHA-256 | GoldMax | f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c |
| SHA-256 | GoldMax | 611458206837560511cb007ab5eeb57047025c2edc0643184561a6bf451e8c2c |
| SHA-256 | GoldMax | b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8 |
| SHA-256 | GoldMax | bbd16685917b9b35c7480d5711193c1cd0e4e7ccb0f2bf1fd584c0aebca5ae4c |
| SHA-256 | GoldFinder | 0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9 |
| SHA-256 | Sibot | 7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb |
| SHA-256 | Sibot | acc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66 |
| IP address | GoldMax and GoldFinder | 185[.]225[.]69[.]69/ |
| Domain | GoldMax and GoldFinder | srfnetwork[.]org |
| Domain | GoldMax | reyweb[.]com |
| Domain | GoldMax | onetechcompany [.]com |
Additional IOCs added April 15, 2021:
| Type | Threat name | Indicator |
| SHA-256 | GoldMax | 4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec |
| SHA-256 | GoldMax | ec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def |
| SHA-256 | GoldMax | 478b04c20bbf6717d10ee978b99339b7c4664febc8bcfdaf86c3f0fbfc83a5c5 |
| SHA-256 | GoldFinder | f2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2 |
| SHA-256 | GoldFinder | 4dec3eeefcec013f142386d5c54099d3daa2b48d559434db1d4f2078d704da1b |
| SHA-256 | GoldFinder | 6b01eeef147d9e0cd6445f90e55e467b930df2de5d74e3d2f7610e80f2c5a2cd |
| SHA-256 | GoldFinder | 0f04f199327d0d076815190dc024f4a6b0f27899d50d28e94662820ab9c945d2 |
| SHA-256 | Sibot | e9ddf486e5aeac02fc279659b72a1bec97103f413e089d8fabc30175f4cdbf15 |
| SHA-256 | Sibot | cb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c |
| Domain | GoldMax | megatoolkit[.]com |
| Domain | GoldMax and GoldFinder | Nikeoutletinc[.]org |
| 185[.]225[.]69[.]69 C2 decoys | “onetechcompany” C2 decoys | “reyweb” C2 decoys |
| hxxps[:]//cdn[.]mxpnl[.]com/ | hxxps[:]//code[.]jquery[.]com/ | hxxps[:]//code[.]jquery[.]com/ |
| hxxps[:]//code[.]jquery[.]com/ | hxxps[:]//play[.]google[.]com/log?” | hxxps[:]//cdn[.]cloudflare[.]com/ |
| hxxps[:]//cdn[.]google[.]com/ | hxxps[:]//fonts[.]gstatic[.]com/s/font.woff2″ | hxxps[:]//cdn[.]google[.]com/ |
| hxxps[:]//fonts[.]gstatic[.]com/s/font.woff2 | hxxps[:]//cdn[.]google[.]com/ | hxxps[:]//cdn[.]jquery[.]com/ |
| hxxps[:]//ssl[.]gstatic[.]com/ui/v3/icons | hxxps[:]//www.gstatic[.]com/images/? | hxxps[:]//cdn[.]mxpnl[.]com/ |
| hxxps[:]//www.gstatic[.]com/images/? | hxxps[:]//onetechcompany [.]com/style.css | hxxps[:]//ssl[.]gstatic[.]com/ui/v3/icons |
| hxxps[:]//185[.]225[.]69[.]69/style.css | hxxps[:]//onetechcompany [.]com/script.js | hxxps[:]//reyweb[.]com/style.css |
| hxxps[:]//185[.]225[.]69[.]69/script.js | hxxps[:]//onetechcompany [.]com/icon.ico | hxxps[:]//reyweb[.]com/script.js |
| hxxps[:]//185[.]225[.]69[.]69/icon.ico | hxxps[:]//onetechcompany [.]com/icon.png | hxxps[:]//reyweb[.]com/icon.ico |
| hxxps[:]//185[.]225[.]69[.]69/icon.png | hxxps[:]//onetechcompany [.]com/scripts/jquery.js | hxxps[:]//reyweb[.]com/icon.png |
| hxxps[:]//185[.]225[.]69[.]69/scripts/jquery.js | hxxps[:]//onetechcompany [.]com/scripts/bootstrap.js | hxxps[:]//reyweb[.]com/scripts/jquery.js |
| hxxps[:]//185[.]225[.]69[.]69/scripts/bootstrap.js | hxxps[:]//onetechcompany [.]com/css/style.css | hxxps[:]//reyweb[.]com/scripts/bootstrap.js |
| hxxps[:]//185[.]225[.]69[.]69/css/style.css | hxxps[:]//onetechcompany [.]com/css/bootstrap.css | hxxps[:]//reyweb[.]com/css/style.css |
| hxxps[:]//185[.]225[.]69[.]69/css/bootstrap.css | hxxps[:]//reyweb[.]com/css/bootstrap.css |
C2 decoy traffic added April 15, 2021:
| “megatoolkit” C2 decoys | “nikeoutletinc” C2 decoys |
| https://cdn.mxpnl.com/ | https://cdn.mxpnl.com/ |
| https://www.google-analytics.com/ | https://cdn.bootstrap.com/ |
| https://cdn.jquery.com/ | https://www.google-analytics.com/ |
| https://cdn.cloudflare.com/ | https://play.google.com/log? |
| https://code.jquery.com/ | https://cdn.jquery.com/ |
| https://play.google.com/log? | https://code.jquery.com/ |
| https://megatoolkit.com/style.css | https://nikeoutletinc.org/style.css |
| https://megatoolkit.com/script.js | https://nikeoutletinc.org/script.js |
| https://megatoolkit.com/icon.ico | https://nikeoutletinc.org/icon.ico |
| https://megatoolkit.com/icon.png | https://nikeoutletinc.org/icon.png |
| https://megatoolkit.com/scripts/jquery.js | https://nikeoutletinc.org/scripts/jquery.js |
| https://megatoolkit.com/scripts/bootstrap.js | https://nikeoutletinc.org/scripts/bootstrap.js |
| https://megatoolkit.com/css/style.css | https://nikeoutletinc.org/css/style.css |
| https://megatoolkit.com/css/bootstrap.css | https://nikeoutletinc.org/css/bootstrap.css |
DeviceImageLoadEvents
| where InitiatingProcessFileName =~ 'rundll32.exe'
| where InitiatingProcessCommandLine has_any('.sys,','.sys ')
| where FileName endswith '.sys'
| project Timestamp, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName
DeviceProcessEvents
| where FileName =~ 'rundll32.exe'
| where ProcessCommandLine has 'Execute'
and ProcessCommandLine has 'RegRead'
and ProcessCommandLine has 'window.close'
| project Timestamp, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
SecurityEvent
| where EventID == 4688
| where Process =~ 'rundll32.exe'
| where CommandLine has_all ('Execute','RegRead','window.close')
| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
DeviceRegistryEvents
| where RegistryKey endswith @'\Microsoft\Windows\CurrentVersion'
| where RegistryValueType == 'String'
| where strlen(RegistryValueData) >= 200
| where RegistryValueData has_any('vbscript','jscript','mshtml,','mshtml ','RunHTMLApplication','Execute(','CreateObject','RegRead','window.close')
| where RegistryKey !endswith @'\Software\Microsoft\Windows\CurrentVersion\Run'
and RegistryKey !endswith @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'
| project Timestamp, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData
let cmdTokens0 = dynamic(['vbscript','jscript']);
let cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);
let cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);
SecurityEvent
| where TimeGenerated >= ago(14d)
| where EventID == 4688
| where CommandLine has @'\Microsoft\Windows\CurrentVersion'
| where not(CommandLine has_any (@'\Software\Microsoft\Windows\CurrentVersion\Run', @'\Software\Microsoft\Windows\CurrentVersion\RunOnce'))
// If you are receiving false positives, then it may help to make the query more strict by uncommenting the lines below to refine the matches
//| where CommandLine has_any (cmdTokens0)
//| where CommandLine has_all (cmdTokens1)
| where CommandLine has_all (cmdTokens2)
| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId
let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org']);
let IPList = dynamic(['185.225.69.69']);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
(union isfuzzy=true
(CommonSecurityLog
| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)
| parse Message with * '(' DNSName ')' *
| extend MessageIP = extract(IPRegex, 0, Message)
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", RequestURL in (DomainNames), "RequestUrl", "NoMatch")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "NoMatch"), AccountCustomEntity = SourceUserID
),
(DnsEvents
| where IPAddresses in (IPList) or Name in~ (DomainNames)
| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host
),
(VMConnection
| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", "None")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "NoMatch"), HostCustomEntity = Computer
),
(OfficeActivity
| where ClientIP in (IPList)
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId
),
(DeviceNetworkEvents
| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)
| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (DomainNames)
| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost
)
)
The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM.
Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM).
Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments.
In the final post of a four-part series on the NOBELIUM nation-state attack, we explore key findings from the after-action report on the attack.
