GoldFinder

GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.[1]

ID: S0597
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 26 March 2021
Last Modified: 27 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GoldFinder has used HTTP for C2.[1]

Enterprise T1119 Automated Collection

GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node.[1]

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3][4][5][6][7]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[1]

References