GoldDragon (Malware Family)

GoldDragon

aka: Lovexxx

VTCollection

GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.

The malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server.

References

2022-02-08 ⋅ ASEC ⋅ ASEC
Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed
GoldDragon Quasar RAT

2021-11-10 ⋅ Cisco Talos ⋅ Asheer Malhotra, Jungsoo An, Kendall McKay
North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
GoldDragon

2021-05-07 ⋅ TEAMT5 ⋅ Jhih-Lin Kuo, Zih-Cing Liao
"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT

2020-11-02 ⋅ Cybereason ⋅ Assaf Dahan, Daniel Frank, Lior Rochberger, Tom Fakterman
Back to the Future: Inside the Kimsuky KGH Spyware Suite
BabyShark GoldDragon KGH_SPY Kimsuky

Yara Rules

[TLP:WHITE] win_gold_dragon_auto (20230808 | Detects win.gold_dragon.)

rule win_gold_dragon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.gold_dragon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8bc6 83e61f c1f805 59 8b048500954000 8d0cf6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   83e61f               | and                 esi, 0x1f
            //   c1f805               | sar                 eax, 5
            //   59                   | pop                 ecx
            //   8b048500954000       | mov                 eax, dword ptr [eax*4 + 0x409500]
            //   8d0cf6               | lea                 ecx, [esi + esi*8]

        $sequence_1 = { 85c0 a3???????? 0f848d030000 8b15???????? 68???????? }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   0f848d030000         | je                  0x393
            //   8b15????????         |                     
            //   68????????           |                     

        $sequence_2 = { 0fb6fa 3bc7 7714 8b55fc 8a9200844000 }
            // n = 5, score = 100
            //   0fb6fa               | movzx               edi, dl
            //   3bc7                 | cmp                 eax, edi
            //   7714                 | ja                  0x16
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8a9200844000         | mov                 dl, byte ptr [edx + 0x408400]

        $sequence_3 = { a3???????? 0f842d040000 8b15???????? 68???????? }
            // n = 4, score = 100
            //   a3????????           |                     
            //   0f842d040000         | je                  0x433
            //   8b15????????         |                     
            //   68????????           |                     

        $sequence_4 = { a3???????? 0f8422030000 a1???????? 68???????? 50 ffd6 }
            // n = 6, score = 100
            //   a3????????           |                     
            //   0f8422030000         | je                  0x328
            //   a1????????           |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi

        $sequence_5 = { 8b7d08 8d054c914000 83780800 753b b0ff }
            // n = 5, score = 100
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8d054c914000         | lea                 eax, [0x40914c]
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   753b                 | jne                 0x3d
            //   b0ff                 | mov                 al, 0xff

        $sequence_6 = { 8db60c844000 bf???????? a5 a5 59 }
            // n = 5, score = 100
            //   8db60c844000         | lea                 esi, [esi + 0x40840c]
            //   bf????????           |                     
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   59                   | pop                 ecx

        $sequence_7 = { ffd6 85c0 a3???????? 0f84a2050000 }
            // n = 4, score = 100
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   0f84a2050000         | je                  0x5a8

        $sequence_8 = { ffd6 85c0 a3???????? 0f84ef010000 68???????? ffd7 }
            // n = 6, score = 100
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   0f84ef010000         | je                  0x1f5
            //   68????????           |                     
            //   ffd7                 | call                edi

        $sequence_9 = { 85c0 a3???????? 0f8424020000 8b15???????? 68???????? 52 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   0f8424020000         | je                  0x22a
            //   8b15????????         |                     
            //   68????????           |                     
            //   52                   | push                edx

    condition:
        7 of them and filesize < 90112
}

[TLP:WHITE] win_gold_dragon_w0 (20180301 | Detects malware from Gold Dragon report)

import "pe"

rule win_gold_dragon_w0 {
	meta:
        author = "Florian Roth"
        description = "Detects malware from Gold Dragon report"
        reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	condition:
        pe.imphash() == "168c2f7752511dfd263a83d5d08a90db" or
        pe.imphash() == "0606858bdeb129de33a2b095d7806e74" or
        pe.imphash() == "51d992f5b9e01533eb1356323ed1cb0f" or
        pe.imphash() == "bb801224abd8562f9ee8fb261b75e32a"
}

Download all Yara Rules

GoldDragon Propose Change

References

Yara Rules

GoldDragon