Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems
Contents
UPDATE (Feb. 12, 2018): A new variant of the original file-less implant appeared on Feb. 5, 2018, indicating the attack has resumed. The new variant has the same author and metadata as the original documents discovered in December, as well as a nearly identical implant. A key difference, however, is the attackers leveraged hacked servers is Santiago, Chile. See indicators of compromise for this update at the bottom of this post.
McAfee ATR has now discovered additional implants that are part of an operation to gain persistence for continued data exfiltration and for targeted access. We have named these implants, which appeared in December 2017, Gold Dragon, Brave Prince, Ghost419, and Running Rat, based on phrases in their code.
On December 24, 2017, our analysts observed the Korean-language implant Gold Dragon. We now believe this implant is the second-stage payload in the Olympics attack that ATR discovered January 6, 2018. The PowerShell …
McAfee ATR has now discovered additional implants that are part of an operation to gain persistence for continued data exfiltration and for targeted access. We have named these implants, which appeared in December 2017, Gold Dragon, Brave Prince, Ghost419, and Running Rat, based on phrases in their code.
On December 24, 2017, our analysts observed the Korean-language implant Gold Dragon. We now believe this implant is the second-stage payload in the Olympics attack that ATR discovered January 6, 2018. The PowerShell …
IoC
06948ab527ae415f32ed4b0f0d70be4a86b364a5
11a38a9d23193d9582d02ab0eae767c3933066ec
200.200.200.13
223.194.70.136
35e5310b6183469f4995b7cd4f795da8459087a4
389db34c3a37fd288e92463302629aa48be06e35
3a0c617d17e7f819775e48f7edefe9af84a1446b
465d48ae849bbd6505263f3323e818ccb501ba88
4f58e6a7a04be2b2ecbcdcbae6f281778fdbd9f9
539acd9145befd7e670fe826c248766f46f0d041
5a7fdfa88addb88680c2f0d5f7095220b4bbffc1
5e1326dd7122e2e2aed04ca4de180d16686853a7
615447f458463dc77f7ae3b0a4ad20ca2303027a
6e13875449beb00884e07a38d0dd2a73afe38283
71f337dc65459027f4ab26198270368f68d7ae77
761b0690cd86fb472738b6dc32661ace5cf18893
7ae731d666e547b4f3442fe5675c8e8719d8d862
7e74f034d8aa4570bd1b7dcfcdfaa52c9a139361
83706ddaa5ea5ee2cfff54b7c809458a39163a7a
96a2fda8f26018724c86b275fe9396e24b26ec9e
a9eb9a1734bb84bbc60df38d4a1e02a870962857
ad08a60dc511d9b69e584c1310dbd6039acffa0d
bc6cb78e20cb20285149d55563f6fdcf4aaafa58
bf21667e4b48b8857020ba455531c9c4f2560740
c2f01355880cd9dfeef75cff189f4a8af421e0d3
d63c7d7305a8b2184fff3b0941e596f09287aa66
e68f43ecb03330ff0420047b61933583b4144585
fef671c13039df24e1606d5fdc65c92fbc1578d9
http://ink.inkboom.co.kr/host/img/jpg/download.php?filename=
http://ink.inkboom.co.kr/host/img/jpg/post.php
https://minibodegaslock.cl/components/com_tags/controllers/access_log
https://minibodegaslock.cl:443/components/com_tags/controllers/default_tags.php
11a38a9d23193d9582d02ab0eae767c3933066ec
200.200.200.13
223.194.70.136
35e5310b6183469f4995b7cd4f795da8459087a4
389db34c3a37fd288e92463302629aa48be06e35
3a0c617d17e7f819775e48f7edefe9af84a1446b
465d48ae849bbd6505263f3323e818ccb501ba88
4f58e6a7a04be2b2ecbcdcbae6f281778fdbd9f9
539acd9145befd7e670fe826c248766f46f0d041
5a7fdfa88addb88680c2f0d5f7095220b4bbffc1
5e1326dd7122e2e2aed04ca4de180d16686853a7
615447f458463dc77f7ae3b0a4ad20ca2303027a
6e13875449beb00884e07a38d0dd2a73afe38283
71f337dc65459027f4ab26198270368f68d7ae77
761b0690cd86fb472738b6dc32661ace5cf18893
7ae731d666e547b4f3442fe5675c8e8719d8d862
7e74f034d8aa4570bd1b7dcfcdfaa52c9a139361
83706ddaa5ea5ee2cfff54b7c809458a39163a7a
96a2fda8f26018724c86b275fe9396e24b26ec9e
a9eb9a1734bb84bbc60df38d4a1e02a870962857
ad08a60dc511d9b69e584c1310dbd6039acffa0d
bc6cb78e20cb20285149d55563f6fdcf4aaafa58
bf21667e4b48b8857020ba455531c9c4f2560740
c2f01355880cd9dfeef75cff189f4a8af421e0d3
d63c7d7305a8b2184fff3b0941e596f09287aa66
e68f43ecb03330ff0420047b61933583b4144585
fef671c13039df24e1606d5fdc65c92fbc1578d9
http://ink.inkboom.co.kr/host/img/jpg/download.php?filename=
http://ink.inkboom.co.kr/host/img/jpg/post.php
https://minibodegaslock.cl/components/com_tags/controllers/access_log
https://minibodegaslock.cl:443/components/com_tags/controllers/default_tags.php