Gold Dragon

Gold Dragon is a Korean-language malware implant that has been observed since December 24, 2017. This data-gathering implant was designed to infiltrate systems, execute binaries from a control server, and encrypt the data it obtains using a generated key. Notably, Gold Dragon re-emerged on the same day as the start of an Olympics campaign, indicating a potential connection. Its communication mechanism uses a unique user agent string, and it shares numerous similarities with other malware in terms of system reconnaissance methods. Gold Dragon is part of a broader campaign that also includes Brave Prince, Ghost419, and RunningRat. These implants share significant elements and code, especially for system reconnaissance functions. Brave Prince, like Gold Dragon, is a Korean-language implant with similar system profiling and control server communication mechanisms. Ghost419, which contains hardcoded "Ghost419" in its binary, is based on Gold Dragon and Brave Prince implants. In late December 2017, five variants of Gold Dragon were compiled, heavily targeting Olympic organizations. These variants contained the string "WebKitFormBoundarywhpFxMBe19cSjFnG," which is part of the upload mechanism. Later versions of these variants exfiltrated data via HTTP post commands to a web server, following the same process as the original Gold Dragon malware. The shared characteristics among these malware demonstrate a much wider and more coordinated campaign than previously known.