Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!
SOFTWARE
Overview 3PARA RAT 4H RAT adbupd Adups ADVSTORESHELL Agent.btz Allwinner Android Overlay Malware Android/Chuli.A ANDROIDOS_ANSERVER.A AndroRAT Arp ASPXSpy at AutoIt backdoor Backdoor.Oldrea BACKSPACE BADCALL BADNEWS Bandook Bankshot BBSRAT BISCUIT Bisonal BITSAdmin BLACKCOFFEE BlackEnergy BOOTRASH BrainTest Brave Prince Briba BS2005 BUBBLEWRAP Cachedump CALENDAR Calisto CallMe Carbanak Catchamas CCBkdr certutil Chaos Charger ChChes Cherry Picker China Chopper CHOPSTICK CloudDuke cmd Cobalt Strike Comnie ComRAT CORALDECK CORESHELL CosmicDuke CozyCar Crimson CrossRAT Daserf DDKONG DealersChoice Dendroid Derusbi Dipsind DOGCALL Dok Downdelph DownPaper DressCode DroidJack dsquery DualToy Duqu DustySky Dyre Elise ELMER Emissary Epic EvilGrab FakeM FALLCHILL Felismus FELIXROOT Fgdump FinFisher Flame FLASHFLOOD FLIPSIDE Forfiles FruitFly FTP Gazer GeminiDuke gh0st GLOOXMAIL Gold Dragon Gooligan GravityRAT gsecdump H1N1 Hacking Team UEFI Rootkit HALFBAKED HAMMERTOSS HAPPYWORK HARDRAIN Havij hcdLoader HDoor Helminth Hi-Zor HIDEDRV Hikit HOMEFRY HTRAN HTTPBrowser httpclient HummingBad HummingWhale Hydraq ifconfig iKitten InnaputRAT InvisiMole Invoke-PSImage ipconfig ISMInjector Ixeshe Janicab JHUHUGIT JPIN jRAT Judy KARAE Kasidet Kazuar Keydnap KEYMARBLE KeyRaider Koadic Komplex KOMPROGO Kwampirs Linfo LOWBALL Lslsass Lurid MacSpy Marcher Matroyshka MazarBOT meek Mimikatz MimiPenguin Miner-C MiniDuke MirageFox Mis-Type Misdat Mivast MobileOrder MoonWind More_eggs Mosquito MURKYTOP Naid NanHaiShu NavRAT nbtstat NDiskMonitor Nerex Net Net Crawler NETEAGLE netsh netstat NetTraveler NETWIRE Nidiran NotCompatible OBAD OLDBAIT OldBoot OnionDuke OopsIE Orz OSInfo OwaAuth P2P ZeuS Pasam Pass-The-Hash Toolkit Pegasus for Android Pegasus for iOS PHOREAL PinchDuke Ping Pisloader PJApps PLAINTEE PlugX pngdowner PoisonIvy POORAIM POSHSPY Power Loader PowerDuke POWERSOURCE PowerSploit POWERSTATS POWRUNER Prikormka Proton Proxysvc PsExec Psylo Pteranodon PUNCHBUGGY PUNCHTRACK Pupy pwdump QUADAGENT QuasarRAT RARSTONE RATANKBA RawPOS RCSAndroid Reaver RedDrop RedLeaves Reg Regin RemoteCMD Remsec Responder RGDoor RIPTIDE ROCKBOOT RogueRobin ROKRAT route Rover RTM RuMMS RunningRAT S-Type Sakula schtasks SDelete SeaDuke SEASHARPEE Shamoon ShiftyBug SHIPSHAPE SHOTPUT SHUTTERSPEED Skeleton Key Skygofree SLOWDRIFT Smoke Loader SNUGRIDE Socksbot SOUNDBITE SPACESHIP spwebmember SpyDealer SpyNote RAT sqlmap SslMM Starloader Stealth Mango StreamEx Sykipot SynAck Sys10 Systeminfo T9000 Taidoor Tangelo Tasklist TDTESS TEXTMATE TINYTYPHON TinyZBot Tor TrickBot Trojan-SMS.AndroidOS.Agent.ao Trojan-SMS.AndroidOS.FakeInst.a Trojan-SMS.AndroidOS.OpFake.a Trojan.Karagany Trojan.Mebromi Truvasys TURNEDUP Twitoor TYPEFRAME UACMe Umbreon Unknown Logger UPPERCUT Uroburos USBStealer Vasport VERMIN Volgmer WEBC2 Wiarp Windows Credential Editor WINDSHIELD WINERACK Winexe Wingbird WinMM Winnti Wiper WireLurker X-Agent for Android XAgentOSX Xbot xCmd XcodeGhost XLoader XTunnel YiSpecter yty Zebrocy ZergHelper Zeroaccess ZeroT ZLib
  1. Home
  2. Software
  3. Gold Dragon

Gold Dragon

Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [1]

ID: S0249
Aliases: Gold Dragon
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
Gold Dragon[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceGold Dragon uses cmd.exe to execute commands for discovery.[1]
EnterpriseT1022Data EncryptedGold Dragon encrypts data using Base64 before being sent to the command and control server.[1]
EnterpriseT1074Data StagedGold Dragon stores information gathered from the endpoint in a file named 1.hwp.[1]
EnterpriseT1089Disabling Security ToolsGold Dragon terminates anti-malware processes if they’re found running on the system.[1]
EnterpriseT1083File and Directory DiscoveryGold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.[1]
EnterpriseT1107File DeletionGold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.[1]
EnterpriseT1057Process DiscoveryGold Dragon checks the running processes on the victim’s machine.[1]
EnterpriseT1012Query RegistryGold Dragon enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[1]
EnterpriseT1060Registry Run Keys / Startup FolderGold Dragon establishes persistence in the Startup folder.[1]
EnterpriseT1105Remote File CopyGold Dragon can download additional components from the C2 server.[1]
EnterpriseT1063Security Software DiscoveryGold Dragon checks for anti-malware products and processes.[1]
EnterpriseT1071Standard Application Layer ProtocolGold Dragon uses HTTP for communication to the control servers.[1]
EnterpriseT1082System Information DiscoveryGold Dragon collects endpoint information using the systeminfo command.[1]
EnterpriseT1033System Owner/User DiscoveryGold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.[1]

References

  1. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.