- Backdoor, Microsoft calls it GoldMax, FireEye calls it Sunshuttle.
- Malware named Sibot discovered by Microsoft.
- Malware named GoldFinder by Microsoft .
Sunshuttle is a complex backdoor written in the Go language. The backdoor has the function of fusing C2 communication traffic with legal network traffic, showing a simple and elegant detection and evasion technology.
After Sunshuttle retrieves the session key from C2, it sends out a beacon to retrieve the command, and then parses the response content to determine which command should be run. Commands from C2 include remotely updating its configuration, uploading and downloading files, and executing arbitrary commands.
FireEye researchers said that the infection vector of the malware is unclear, and may have been distributed through a second-stage backdoor after the system was initially compromised. A US entity uploaded the backdoor to a public malware repository in August last year.
Data structure of the GoldMax configuration
Microsoft researchers have discovered a malware family called Sibot. Sibot is a dual-use malware implemented in VBScript designed to achieve persistence on the infected computer, and then download and execute the payload from a remote C2 server.
Researchers have observed three variants of this malware, all of which are somewhat confusing.
Microsoft researchers have discovered a new tool called GoldFinder written in Golang. GoldFinder is likely to be used as a “custom HTTP tracer tool to record the route or node required for data packets to reach the hard-coded C2 server.”
After GoldFinder is launched, it can identify all HTTP proxy servers and other redirectors, such as network security devices where HTTP requests reach the target C2 server through the network inside and outside the network.