When Brute Ratel first appeared in the wild, almost no security solutions could detect it. To avoid being discovered by EDR and antivirus programs, hacking groups and ransomware operations are switching from Cobalt Strike to the more recent Brute Ratel post-exploitation toolkit.
One of the most popular toolkits in red team engagements is Cobalt Strike, which enables attackers to install beacons on compromised devices to conduct remote network surveillance or send commands.
Hacker groups and ransomware attacks also use this tool to expand laterally through infected corporate networks.
About Brute Ratel
Brute Ratel is the most advanced red team simulation software at the moment. It can provide a structured timeline and simulate the cyber kill chain. Cybersecurity teams can use it to validate cyberattacks and strengthen their defenses. Despite being a post-exploitation tool, it does not assist in creating exploits.
Brute Ratel enables the red team to deploy badgers on remote hosts. Badgers function similarly to Cobalt Strike beacons and connect to the attacker’s C2 server for RCE.
Brute Ratel’s features and more details can be found on the software’s official site.
Threat Actors Were Able To Acquire Licenses
Despite Cobalt Strike being a legal piece of software, threat actors have been spreading cracked versions of it online, making it one of the most widely utilized tools by hackers and ransomware operations.
Brute Ratel is currently only available to verified companies at a cost. Chetan Nayak, the developer of Brute Ratel, stated that the license was leaked by a customer’s employee, explaining how the attackers could use it in their operations.
Although Nayak could revoke the license afterward, former Conti ransomware members were discovered using fake company profiles to gain access to the software’s license.
“In one case, they have gained access to the Brute Ratel kit used for post-exploitation in targeted attacks from BumbleBee loader. The ultimate goal of the Brute Ratel usage was the post-exploitation framework for lateral movement and subsequent network encryption via ransomware payload.” AdvIntel’s CEO said.
Threat actors spread malicious ISOs that appear to include submitted resumes (CV) in attacks thought to be connected to the Russian state-sponsored hacking organization APT29 (also known as CozyBear and Dukes).
However, as seen in the file’s properties below, the Roshan-Bandara_CV_Dialog resume file is a Windows shortcut that will start the included OneDriveUpdater[.]exe file.
Upon clicking Roshan-Bandara_CV_Dialog, cmd[.]exe is launched:
/c start OneDriveUpdater[.]exe (Using the Windows start command, the executable is launched from the current directory)
Microsoft’s executable is used to sync data to Cloud servers. It is used in this instance to load the attacker’s DLL.
version.dll, a dependency of OneDriveUpdater[.]exe, is in the same directory. The actors modified this DLL to load an encrypted payload file (OneDrive.update).
The file is subsequently decrypted, and the modification’s first stage of the shellcode is loaded into memory. To preserve code capabilities, threat actors also use DLL proxying technique (vresion.dll for version.dll).
The in-memory code, Brute Ratel C4, starts to communicate with IP 174.129.157[.]251 on TCP port 443 as a Windows thread while running in the RuntimeBroker[.]exe process space.
The below image shows how ISOs would look if the show hidden files option were enabled.
OneDriveUpdater[.]exe is a legal Microsoft executable, but the version[.]dll it loads has been altered to serve as a loader for a Brute Ratel badger that is loaded into the RuntimeBroker[.]exe process.
The threat actors can remotely access the infected device once the Brute Ratel has been loaded in order to run commands and spread farther throughout the compromised network.
Indicators of Compromise
Brute Ratel C4 ISO Samples:
X64 Brute Ratel C4 Windows Kernel Module:
APT29 ISO Samples:
X64 Brute Ratel C4 Samples:
Malicious Encrypted Payloads:
X.509 Cert SHA1s:
Infrastructure linked to X.509 Certs or Samples: