SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gold_dragon (Back to overview)

GoldDragon

aka: Lovexxx

GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.

The malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server.

References
2021-05-07TEAMT5Jhih-Lin Kuo, Zih-Cing Liao
@techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-09-14} } "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT
2020-11-02CybereasonAssaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20201102:back:64a6991, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{Back to the Future: Inside the Kimsuky KGH Spyware Suite}}, date = {2020-11-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite}, language = {English}, urldate = {2020-11-02} } Back to the Future: Inside the Kimsuky KGH Spyware Suite
BabyShark GoldDragon KGH_SPY Kimsuky
Yara Rules
[TLP:WHITE] win_gold_dragon_auto (20210616 | Detects win.gold_dragon.)
rule win_gold_dragon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.gold_dragon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bce 8bc6 c1f905 83e01f 8b0c8d00954000 8d04c0 f644810401 }
            // n = 7, score = 100
            //   8bce                 | mov                 ecx, esi
            //   8bc6                 | mov                 eax, esi
            //   c1f905               | sar                 ecx, 5
            //   83e01f               | and                 eax, 0x1f
            //   8b0c8d00954000       | mov                 ecx, dword ptr [ecx*4 + 0x409500]
            //   8d04c0               | lea                 eax, dword ptr [eax + eax*8]
            //   f644810401           | test                byte ptr [ecx + eax*4 + 4], 1

        $sequence_1 = { c1e603 3b9648834000 0f851c010000 a1???????? }
            // n = 4, score = 100
            //   c1e603               | shl                 esi, 3
            //   3b9648834000         | cmp                 edx, dword ptr [esi + 0x408348]
            //   0f851c010000         | jne                 0x122
            //   a1????????           |                     

        $sequence_2 = { a3???????? 7408 5f b801000000 5e c3 5f }
            // n = 7, score = 100
            //   a3????????           |                     
            //   7408                 | je                  0xa
            //   5f                   | pop                 edi
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   5f                   | pop                 edi

        $sequence_3 = { 50 ffd6 85c0 a3???????? 0f84d8050000 8b0d???????? }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   0f84d8050000         | je                  0x5de
            //   8b0d????????         |                     

        $sequence_4 = { 83e01f 8b0c8d00954000 8d04c0 f644810401 741d }
            // n = 5, score = 100
            //   83e01f               | and                 eax, 0x1f
            //   8b0c8d00954000       | mov                 ecx, dword ptr [ecx*4 + 0x409500]
            //   8d04c0               | lea                 eax, dword ptr [eax + eax*8]
            //   f644810401           | test                byte ptr [ecx + eax*4 + 4], 1
            //   741d                 | je                  0x1f

        $sequence_5 = { 50 a3???????? e8???????? 8db60c844000 bf???????? }
            // n = 5, score = 100
            //   50                   | push                eax
            //   a3????????           |                     
            //   e8????????           |                     
            //   8db60c844000         | lea                 esi, dword ptr [esi + 0x40840c]
            //   bf????????           |                     

        $sequence_6 = { 68???????? 50 ffd6 85c0 a3???????? 0f8492060000 a1???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   0f8492060000         | je                  0x698
            //   a1????????           |                     

        $sequence_7 = { 0f848d030000 8b15???????? 68???????? 52 ffd6 }
            // n = 5, score = 100
            //   0f848d030000         | je                  0x393
            //   8b15????????         |                     
            //   68????????           |                     
            //   52                   | push                edx
            //   ffd6                 | call                esi

        $sequence_8 = { 2b442404 c3 8bc2 c3 8b542404 8b4c2408 }
            // n = 6, score = 100
            //   2b442404             | sub                 eax, dword ptr [esp + 4]
            //   c3                   | ret                 
            //   8bc2                 | mov                 eax, edx
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]

        $sequence_9 = { 83f908 7229 f3a5 ff2495a8284000 8bc7 }
            // n = 5, score = 100
            //   83f908               | cmp                 ecx, 8
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495a8284000       | jmp                 dword ptr [edx*4 + 0x4028a8]
            //   8bc7                 | mov                 eax, edi

    condition:
        7 of them and filesize < 90112
}
[TLP:WHITE] win_gold_dragon_w0   (20180301 | Detects malware from Gold Dragon report)
import "pe"

rule win_gold_dragon_w0 {
	meta:
        author = "Florian Roth"
        description = "Detects malware from Gold Dragon report"
        reference = "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	condition:
        pe.imphash() == "168c2f7752511dfd263a83d5d08a90db" or
        pe.imphash() == "0606858bdeb129de33a2b095d7806e74" or
        pe.imphash() == "51d992f5b9e01533eb1356323ed1cb0f" or
        pe.imphash() == "bb801224abd8562f9ee8fb261b75e32a"
}
Download all Yara Rules