S0252 Brave Prince

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. ¹

Item	Value
ID	S0252
Associated Names
Type	MALWARE
Version	1.2
Created	17 October 2018
Last Modified	11 April 2022
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1048	Exfiltration Over Alternative Protocol	-
enterprise	T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Some Brave Prince variants have used South Korea’s Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.¹
enterprise	T1083	File and Directory Discovery	Brave Prince gathers file and directory information from the victim’s machine.¹
enterprise	T1562	Impair Defenses	-
enterprise	T1562.001	Disable or Modify Tools	Brave Prince terminates antimalware processes.¹
enterprise	T1057	Process Discovery	Brave Prince lists the running processes.¹
enterprise	T1012	Query Registry	Brave Prince gathers information about the Registry.¹
enterprise	T1082	System Information Discovery	Brave Prince collects hard drive content and system configuration information.¹
enterprise	T1016	System Network Configuration Discovery	Brave Prince gathers network configuration information as well as the ARP cache.¹

Groups That Use This Software

ID	Name	References
G0094	Kimsuky	²

References

Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. ↩↩↩↩↩↩↩↩
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. ↩