Brave Prince

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

"Brave Prince" is a Korean-language malware implant that was first observed in the wild on December 13, 2017. It exhibits similar code and behavior to the "Gold Dragon" variants, particularly in terms of system profiling and control server communication mechanisms. The malware sends logs to the attacker via South Korea's Daum email service. Notably, both variants of Brave Prince can terminate a process associated with a tool created by Daum designed to block malicious code. Additionally, the Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This malware is part of a broader campaign including other implants named "Gold Dragon", "Ghost419", and "Running Rat". These names were derived from phrases found within their code, and they were first identified in December 2017. Gold Dragon shares elements, code, and behaviors with Ghost419 and Brave Prince, and we have been tracking these since May 2017. Ghost419, in turn, is based on Gold Dragon and Brave Prince and contains shared elements and code, particularly for system reconnaissance functions. On December 21, a variant of Brave Prince used the control server nid-help-pchange.atwebpages.com. Interestingly, this same server was also utilized by a variant of Gold Dragon just three days later on December 24. The discovery of these connections indicates a much wider and interconnected malware campaign than initially suspected. The continued evolution and complexity of these malware variants underscore the importance of robust cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Gold Dragon	1	Gold Dragon is a Korean-language malware implant that has been observed since December 24, 2017. This data-gathering implant was designed to infiltrate systems, execute binaries from a control server, and encrypt the data it obtains using a generated key. Notably, Gold Dragon re-emerged on the same
Ghost419	1	Ghost419 is a malicious software, or malware, that first emerged in the wild on December 18, 2017. It is one of several implants, including Gold Dragon, Brave Prince, and Running Rat, which were named based on phrases found within their code. These implants appeared in December 2017 and demonstrate

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Rat

Implant

Reconnaissance

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
RunningRAT	Unspecified	1	RunningRat is a type of malware that was discovered as part of a larger campaign that includes Gold Dragon, Brave Prince, and Ghost419. This malware is a remote access Trojan (RAT) that operates with two DLLs, and its main function is to steal keystrokes. However, further analysis has revealed that

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Brave Prince Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims' Systems