Brute Ratel C4 Trending

Industry: N/A | Level: Strategic | Source: Palo Alto Unit42

Palo Alto Unit42’s latest research details the rise of the penetration testing tool, Brute Ratel C4 (BRc4), created by Chetan Nayak (aka Paranoid Ninja) in December 2020. The tool has been gaining traction amongst threat actors, with some favoring it over the popular Cobalt Strike framework. BRc4 is demonstrated as a highly advanced tool with development capable of evading detection from security products, including endpoint detection and response (EDR) and antivirus (AV), due to Nayak reverse engineering several "top tier EDR and Antivirus DLLs.” In action, Unit42 found, "in terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443. Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.' Additionally, pivoting on the certificate and other artifacts, we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far." As opposed to beacons used by Cobalt Strike, Brute Ratel C4 utilizes "badgers" to receive commands. The deployment of BRc4 has been observed borrowing TTPs from APT29, delivering a malicious ISO file containing an LNK file masquerading as a Microsoft Word cover letter to infect victims with the BRc4 payload. Supplementary files are included but are hidden. A legitimate Microsoft signed binary OneDriveUpdater.exe is utilized "OneDriveUpdater.exe is a digitally signed binary by Microsoft that is used to synchronize data from a local machine to the cloud. It is not malicious and is being abused to load the actor’s DLL. Once OneDriveUpdater.exe is executed, the following actions occur: Since Version.dll is a dependency DLL of OneDriveUpdater.exe and exists in the same directory as OneDriveUpdater.exe, it will be loaded." The use of a discrete ISO, LNK, hidden, and digitally signed files are tradecrafts, Unit42 has often been observed using with nation-state APT groups. BRc4 is marketed for sale for the price of $2,500 requiring a verified business address.