The Brave Prince is a Remote Access Trojan(RAT) that was first observed in the wild in December 2017. It contains similar code and behavior to the Gold Dragon malware, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. Brave Prince affects the following operating the Windows operating system and is capable of collecting hard drive content and system configuration information, gathers network configuration information as well as the ARP cache, terminates antimalware processes, and gathers file and directory information from the victim's machine.
Table of Contents
Brave Prince Malware Capabilities
Brave Prince may attempt to gather information about running processes, installed software, and network configuration on a system. The adversary may use this information to determine whether or not to fully infect the target and/or attempt specific actions. Brave Prince may also modify and/or disable security tools to avoid detection.
- The Brave Prince malware may attempt to gain information about running processes on a system in order to understand common software and applications running on systems within the network. This information may be used to determine follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.The malware may also steal data by exfiltrating it over an un-encrypted network protocol, or by sending it to an alternate network location from the main command and control server.Finally, the Brave Prince malware may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. This information may be used to determine follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
- Brave Prince may collect information about the network configuration and settings of systems they access, including IP and MAC addresses. They may also modify or disable security tools to avoid detection. Additionally, they may enumerate files and directories or search for specific information within a file system.
Ways to Mitigate Brave Prince Malware Attacks
- The above text discusses various methods of mitigating the effects of Brave Prince malware. These include system and network discovery techniques, which can help to identify unusual activity that may be associated with the malware, and analysis of network data to detect unusual communication patterns.
- The Brave Prince malware mitigation strategy involves identifying and monitoring process and command-line arguments for signs of security tool interference, as well as Registry edits for service and startup program modifications that could indicate malicious activity. Additionally, system and network discovery techniques should be used to identify potential data exfiltration opportunities.
About Kimsuky Threat Group
Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group has targeted entities and individuals in South Korea, the United States, Russia, Europe, and the UN in order to collect intelligence on issues related to the Korean peninsula, nuclear policy, and sanctions