Brave Prince

"Brave Prince" is a Korean-language malware implant that was first observed in the wild on December 13, 2017. It exhibits similar code and behavior to the "Gold Dragon" variants, particularly in terms of system profiling and control server communication mechanisms. The malware sends logs to the attacker via South Korea's Daum email service. Notably, both variants of Brave Prince can terminate a process associated with a tool created by Daum designed to block malicious code. Additionally, the Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This malware is part of a broader campaign including other implants named "Gold Dragon", "Ghost419", and "Running Rat". These names were derived from phrases found within their code, and they were first identified in December 2017. Gold Dragon shares elements, code, and behaviors with Ghost419 and Brave Prince, and we have been tracking these since May 2017. Ghost419, in turn, is based on Gold Dragon and Brave Prince and contains shared elements and code, particularly for system reconnaissance functions. On December 21, a variant of Brave Prince used the control server nid-help-pchange.atwebpages.com. Interestingly, this same server was also utilized by a variant of Gold Dragon just three days later on December 24. The discovery of these connections indicates a much wider and interconnected malware campaign than initially suspected. The continued evolution and complexity of these malware variants underscore the importance of robust cybersecurity measures.