Brave Prince

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [1]

ID: S0252
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1089 Disabling Security Tools

Brave Prince terminates antimalware processes.[1]

Enterprise T1083 File and Directory Discovery

Brave Prince gathers file and directory information from the victim’s machine.[1]

Enterprise T1057 Process Discovery

Brave Prince lists the running processes.[1]

Enterprise T1012 Query Registry

Brave Prince gathers information about the Registry.[1]

Enterprise T1071 Standard Application Layer Protocol

Some Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.[1]

Enterprise T1082 System Information Discovery

Brave Prince collects hard drive content and system configuration information.[1]

Enterprise T1016 System Network Configuration Discovery

Brave Prince gathers network configuration information as well as the ARP cache.[1]

References