Gold Dragon

Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [1]

ID: S0249
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceGold Dragon uses cmd.exe to execute commands for discovery.[1]
EnterpriseT1022Data EncryptedGold Dragon encrypts data using Base64 before being sent to the command and control server.[1]
EnterpriseT1074Data StagedGold Dragon stores information gathered from the endpoint in a file named 1.hwp.[1]
EnterpriseT1089Disabling Security ToolsGold Dragon terminates anti-malware processes if they’re found running on the system.[1]
EnterpriseT1083File and Directory DiscoveryGold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.[1]
EnterpriseT1107File DeletionGold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.[1]
EnterpriseT1057Process DiscoveryGold Dragon checks the running processes on the victim’s machine.[1]
EnterpriseT1012Query RegistryGold Dragon enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[1]
EnterpriseT1060Registry Run Keys / Startup FolderGold Dragon establishes persistence in the Startup folder.[1]
EnterpriseT1105Remote File CopyGold Dragon can download additional components from the C2 server.[1]
EnterpriseT1063Security Software DiscoveryGold Dragon checks for anti-malware products and processes.[1]
EnterpriseT1071Standard Application Layer ProtocolGold Dragon uses HTTP for communication to the control servers.[1]
EnterpriseT1082System Information DiscoveryGold Dragon collects endpoint information using the systeminfo command.[1]
EnterpriseT1033System Owner/User DiscoveryGold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.[1]