GoldFinder Malware

GoldFinder Malware Description

GoldFinder is a new malware strain that was discovered by the cybersecurity researchers at Microfost. It's a highly-specialized custom-build tool that was observed as part of the activities of the Nobelium (UNC2542) ATP group. The main task of GoldFinder is to snoop inside the network of the compromised organization and then inform the hackers of any weak points in their setup or if their actions are being logged.

 GoldFinder is written in Golang and can be described as an HTTP tracer tool. Upon its execution on the compromised system, the malware threat will log the entire route and every hop that a packet takes on its way to the hardcoded address of the Command-and-Control (C2, C&C) server. In practice, this means that the malware will map out all HTTP proxy servers or any other redirections that could potentially represent network security devices, both inside and outside the network.

 GoldFinder could be used to signal the Nobelium hackers if their communication with other malware threats, such as the GoldMax/Sunshuttle backdoor, on the breached system has been intercepted.

The previously unknown Nobelium APT jumped into prominence last year when they executed a massive supply-chain attack against SolarWinds. During the threatening operation, 18,000 SolarWinds customers approximately are believed to have been impacted.