S0249 Gold Dragon
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. 1
| Item | Value |
|---|---|
| ID | S0249 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 11 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Gold Dragon uses HTTP for communication to the control servers.1 |
| enterprise | T1560 | Archive Collected Data | Gold Dragon encrypts data using Base64 before being sent to the command and control server.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Gold Dragon establishes persistence in the Startup folder.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Gold Dragon uses cmd.exe to execute commands for discovery.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.1 |
| enterprise | T1083 | File and Directory Discovery | Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Gold Dragon terminates anti-malware processes if they’re found running on the system.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.1 |
| enterprise | T1105 | Ingress Tool Transfer | Gold Dragon can download additional components from the C2 server.1 |
| enterprise | T1057 | Process Discovery | Gold Dragon checks the running processes on the victim’s machine.1 |
| enterprise | T1012 | Query Registry | Gold Dragon enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Gold Dragon checks for anti-malware products and processes.1 |
| enterprise | T1082 | System Information Discovery | Gold Dragon collects endpoint information using the systeminfo command.1 |
| enterprise | T1033 | System Owner/User Discovery | Gold Dragon collects the endpoint victim’s username and uses it as a basis for downloading additional components from the C2 server.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0094 | Kimsuky | 2 |
References
-
Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. ↩