Brave Prince
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Some Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.[1] |
| Enterprise | T1083 | File and Directory Discovery |
Brave Prince gathers file and directory information from the victim’s machine.[1] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Brave Prince terminates antimalware processes.[1] |
| Enterprise | T1057 | Process Discovery |
Brave Prince lists the running processes.[1] |
|
| Enterprise | T1012 | Query Registry |
Brave Prince gathers information about the Registry.[1] |
|
| Enterprise | T1082 | System Information Discovery |
Brave Prince collects hard drive content and system configuration information.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Brave Prince gathers network configuration information as well as the ARP cache.[1] |
|
Groups That Use This Software
References
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.