Brave Prince

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [1]

ID: S0252
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 21 April 2020

Techniques Used

Domain ID Name Use
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Some Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.[1]

Enterprise T1083 File and Directory Discovery

Brave Prince gathers file and directory information from the victim’s machine.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Brave Prince terminates antimalware processes.[1]

Enterprise T1057 Process Discovery

Brave Prince lists the running processes.[1]

Enterprise T1012 Query Registry

Brave Prince gathers information about the Registry.[1]

Enterprise T1082 System Information Discovery

Brave Prince collects hard drive content and system configuration information.[1]

Enterprise T1016 System Network Configuration Discovery

Brave Prince gathers network configuration information as well as the ARP cache.[1]

References