Gold Dragon
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [1]
ID: S0249
Aliases: Gold Dragon
Type: MALWARE
Platforms: Windows
Version: 1.0
Alias Descriptions
Name | Description |
---|---|
Gold Dragon | [1] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1059 | Command-Line Interface | Gold Dragon uses cmd.exe to execute commands for discovery.[1] |
Enterprise | T1022 | Data Encrypted | Gold Dragon encrypts data using Base64 before being sent to the command and control server.[1] |
Enterprise | T1074 | Data Staged | Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.[1] |
Enterprise | T1089 | Disabling Security Tools | Gold Dragon terminates anti-malware processes if they’re found running on the system.[1] |
Enterprise | T1083 | File and Directory Discovery | Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.[1] |
Enterprise | T1107 | File Deletion | Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.[1] |
Enterprise | T1057 | Process Discovery | Gold Dragon checks the running processes on the victim’s machine.[1] |
Enterprise | T1012 | Query Registry | Gold Dragon enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run .[1] |
Enterprise | T1060 | Registry Run Keys / Startup Folder | Gold Dragon establishes persistence in the Startup folder.[1] |
Enterprise | T1105 | Remote File Copy | Gold Dragon can download additional components from the C2 server.[1] |
Enterprise | T1063 | Security Software Discovery | Gold Dragon checks for anti-malware products and processes.[1] |
Enterprise | T1071 | Standard Application Layer Protocol | Gold Dragon uses HTTP for communication to the control servers.[1] |
Enterprise | T1082 | System Information Discovery | Gold Dragon collects endpoint information using the systeminfo command.[1] |
Enterprise | T1033 | System Owner/User Discovery | Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.[1] |