Brave Prince
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Brave Prince terminates antimalware processes.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Brave Prince gathers file and directory information from the victim’s machine.[1] |
|
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
Some Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.[1] |
| Enterprise | T1012 | 查询注册表 |
Brave Prince gathers information about the Registry.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
Brave Prince collects hard drive content and system configuration information.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Brave Prince gathers network configuration information as well as the ARP cache.[1] |
|
| Enterprise | T1057 | 进程发现 |
Brave Prince lists the running processes.[1] |
|
Groups That Use This Software
References
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.