What Is It?
Researchers at McAfee recently published the results of their analysis of second stage malware payloads resulting from a spear phishing campaign against more than 300 organizations involved with the PyeongChang Winter Olympics.
The purpose of these second stage payloads was to allow for data exfiltration and access to infected systems. Due to the domain names they use or other strings found in the code, these payloads have been named Gold Dragon, Brave Prince, Ghost419 and RunningRat.
Gold Dragon is designed to gather system data and download additional malware. Brave Prince gathers more detailed system information including the contents of the hard drive, the system registry and what’s running on the system. Ghost419 also performs system reconnaissance and may be a later version of either Gold Dragon or Brave Prince.
Finally, as the name suggests, RunningRat is a remote access trojan (RAT), the main function of which is as a keystroke logger. It also kills the process associated with Daum Cleaner, a Korean security application. It contains code for other functionality to be expected of a RAT, such as deleting files, clearing system event logs and rebooting the system, however it appears this code has no way of being executed by the analyzed sample.
How Does It Propagate?
The initial infection vector in this attack was malicious Word documents attached to phishing e-mails. The second stage malware was later downloaded by the original malware.
When/How Did BluVector Detect It?
BluVector’s patented Machine Learning Engine (MLE) detects both the first and second stages of this attack. Regression testing on samples has shown the malicious documents used in the first stage of the attack would have been detected by BluVector an average of 9 months prior to it’s release and the second stage malware samples would have been detected an average of 42 months prior.