Brute Ratel

Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.

Corporate cybersecurity teams commonly consist of employees who attempt to breach corporate networks (red team) and those who actively defend against them (blue team). Both teams then share notes after engagements to strengthen the cybersecurity defenses of a network.

For years, one of the most popular tools in red team engagements has been Cobalt Strike, a toolkit allowing attackers to deploy “beacons” on compromised devices to perform remote network surveillance or execute commands.

While Cobalt Strike is legitimate software, threat actors have been sharing cracked versions online, making it one of the most popular tools used by hackers and ransomware operations to spread laterally through breached corporate networks.

Hackers switch to Brute Ratel

In 2020, Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike, released Brute Ratel Command and Control Center (BRc4) as an alternative to Cobalt Strike for red team penetration testing engagements.

Like Cobalt Strike, Brute Ratel is an adversarial attack simulation tool that allows red teamers to deploy ‘Badgers’ (similar to beacons in Cobalt Strike) on remote hosts. These badgers connect back to the attacker’s Command and Control server to receive commands to execute or transmit the output of previously run commands.

In a new report by Palo Alto Unit 42, researchers have spotted threat actors moving away from Cobalt Strike to using Brute Ratel as their post-exploitation toolkit of choice.

This change in tactics is significant as BRc4 is designed to evade detection by EDR and antivirus solutions, with almost all security software not detecting it as malicious when first spotted in the wild.

“While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated,” explains Unit 42’s report.

“Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.”

In attacks suspected to be linked to the Russian state-sponsored hacking group APT29 (aka CozyBear and Dukes), threat actors distribute malicious ISOs that allegedly contain a submitted résumé (CV).

Contents of the malicious ISO file
Contents of the malicious ISO file
Source: BleepingComputer

However, the ‘Roshan-Bandara_CV_Dialog’ résumé file is actually a Windows shortcut that will launch the bundled OneDriveUpdater.exe file, as shown in the file’s properties below.

Windows shortcut disguised as CV to launch a program
Windows shortcut disguised as CV to launch a program
Source: BleepingComputer

While OneDriveUpdater.exe is a legitimate Microsoft executable, the included version.dll that is loaded by the program has been modified to act as a loader for a Brute Ratel badger, which is loaded into the RuntimeBroker.exe process.

Once the Brute Ratel badger is loaded, the threat actors can remotely access the compromised device to execute commands and spread further in the now-breached network.

Ransomware gangs get in on the action

Brute Ratel currently costs $2,500 per user for a one-year license, with customers required to provide a business email address and be verified before a license is issued.

“But due to the nature of the software, we only sell the product to registered companies and individuals with an official business e-mail address/Domain after verifying the business and the person’s work history,” explains the Brute Ratel pricing page.

As this is a manual verification process, it raises the question of how the threat actors receive software licenses.

Brute Ratel developer Chetan Nayak told BleepingComputer that the license used in attacks reported by Unit 42 was leaked by a disgruntled employee of one of his customers. 

As payloads allow Nayak to see who they are licensed to, he was able to identify and revoke the license.

However, according to AdvIntel CEO Vitali Kremez, ex-Conti ransomware members have also started to acquire licenses by creating fake US companies to pass the licensing verification system.

“The criminals behind the former Conti ransomware operations explored multiple penetration testing kits beyond usage of Cobalt Strike,” Kremez told BleepingComputer in a conversation.

“In one particular case, they have gained access to the Brute Ratel kit that was used for post-exploitation in targeted attacks from BumbleBee loader. The ultimate goal of the Brute Ratel usage was post-exploitation framework for lateral movement and subsequent network encryption via ransomware payload.”

“To get access to the Brute Ratel licenses, the threat actors create fake US companies which are used as part of the verification process.”

BleepingComputer reached out to Brute Ratel’s creator, Chetan Nayak, with questions regarding the verification process but has not heard back.

Source: www.bleepingcomputer.com