The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Kimsuky GoldDragon C2 Cluster

Sep 19, 2022 11:06:44 AM / by PolySwarm Tech Team

kimsuky_TwitterVerticals Targeted: Think Tanks, Media, Government

Executive Summary

In early 2022, the North Korean threat actor group Kimsuky targeted a South Korean think tank and media entities. In this campaign, they leveraged what is known as the GoldDragon backdoor and associated C2 cluster.

Key Takeaways

  • GoldDragon is a backdoor and associated C2 cluster used by the North Korean threat actor group Kimsuky.
  • Kimsuky used a geopolitical-themed spearphishing campaign to target its victims, with the initial payload calling out to the GoldDragon C2 cluster.
  • GoldDragon uses multiple C2 servers to verify that the intended victim is being targeted before delivering the final payload.
What is GoldDragon?

GoldDragon is a backdoor and associated C2 cluster used by Kimsuky in an early 2022 campaign targeting South Korean think tanks and media entities. The initial infection chain was established by sending a spearphishing email with a malicious macro-embedded Word document. The documents used a geopolitical theme. After the initial infection, the threat actors delivered a Visual Basic Script to the victim machine. This file reported victim machine information to the C2 and retrieved additional payloads. The final stage malware was a Windows executable used to steal file lists, record keystrokes, and harvest web browser login credentials.

Securelist further described the GoldDragon C2 operation as follows:
  • The threat actor uses a spearphishing email to trick the victim into downloading a malicious document.
  • If the victim clicks the link, they are connected to the first stage C2 server, using an email address as a parameter.
  • The first stage, C2, verifies the parameter and delivers the document if the email address matches the expected parameter. A script forwards the victim IP to the next stage server.
  • When the victim opens the malicious document, it connects to the second C2 server.
  • A script on the second C2 server checks the IP address sent from the first stage server to verify it is the same victim. 
  • The threat actors use additional processes to check OS type and user-agent strings prior to delivering the next payload.
Who is Kimsuky?

Kimsuky, also known as Thallium, Black Banshee, Stolen Pencil,  and Velvet Chollima, is a North Korean nexus threat actor group active since at least 2012. Kimsuky is thought to be a state-sponsored threat actor and primarily conducts espionage operations. Kimsuky is known to target politicians, diplomats, journalists, academics, nuclear power operators, and North Korean defectors.

Kimsuky TTPs include but are not limited to an extensive C2 infrastructure, using Blogspot to host content, spearphishing, malicious documents, malicious browser extensions, AppleSeed, BabyShark, Brave Prince, CSPY Downloader, Mimikatz, GoldDragon, and NOKKI. The group regularly updates its toolset.

IOCs

PolySwarm has multiple samples associated with GoldDragon.

2c044aa99fee2ece3665c79a2a775f92494321032c50c3aa57e2b715381b7f0b 

443651a601f6d0774bf4cea316f4c2b882f7c6556b15067a9d40c3919f4ca708 

4be2ba7c6bd32fb51c7c876fb504f991f03c9e996ab971da2a6c1dc18b7ef6ed 

5498c3eb2fb335aadcaf6c5d60560c5d2525997ba6af39b191f6092cb70a3aa6 

80b1d58755587a0e3287aa11ce472bc657ddc4b5a11ab7347ad058644db9973f 

87669482598f6ec5f5a99eb4d3eb8a9bfc5ba24664b6470b8cfaf19dbe909389 

93a0d92f7642048ed00c2fa90e22bfa6db0fc338eb05c7264aba283f7bb6f557

b2475b93aef75693935ad78b577f712766e8314c7758fc1f6841538647c120f0

b24da5056d33e66f0d246629a42e5d3e55a18ea4ebc8469ca989a33f1c14ef0e

bc1e205dba851a72bf7aedfbb3ff116c3035560a586d305e020a7dc9b742c4de

bcdfa8292bdd10101587b5e3ac14aca6cf93c7b07aa870d48733dcd6cf9c4734 

be0ed9634371261ccd155c54f50ab4b26553fea9cafcf598a494a5da46931a3d 

be14e3245a4e6054ef231cd471e7f16c44a4ba0c0302c38f53dd98116af02641

e43d2e8772b56dcf76555f730e9c349b1bebd0c16a9d1637fca2e8d24154cbcf

e8311bde458b459de78e18ec0c6fbca7087c9124e576955e5bb257df3d3254aa


You can use the following CLI command to search for all GoldDragon-related samples in our portal:

$ polyswarm link list -f GoldDragon

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Espionage, North Korea, Kimsuky, GoldDragon

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts