Brave Prince

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [1]

ID: S0252
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1089Disabling Security ToolsBrave Prince terminates antimalware processes.[1]
EnterpriseT1083File and Directory DiscoveryBrave Prince gathers file and directory information from the victim’s machine.[1]
EnterpriseT1057Process DiscoveryBrave Prince lists the running processes.[1]
EnterpriseT1012Query RegistryBrave Prince gathers information about the Registry.[1]
EnterpriseT1071Standard Application Layer ProtocolSome Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.[1]
EnterpriseT1082System Information DiscoveryBrave Prince collects hard drive content and system configuration information.[1]
EnterpriseT1016System Network Configuration DiscoveryBrave Prince gathers network configuration information as well as the ARP cache.[1]

References