Attacker Groups Adopt New Brute Ratel Penetration Testing Tool

Security researchers have recently identified several attack campaigns that use APT-like targeting techniques and deploy Brute Ratel C4 (BRc4), a relatively new adversary simulation framework. While attackers abusing penetration testing tools aren’t a new development – Cobalt Strike and Metasploit’s Meterpreter have been used by threat groups for years – Brute Ratel focuses on detection evasion techniques, this which could pose a real challenge to defense teams.

“The emergence of a new capability for penetration testing and adversary emulation is significant,” researchers from security firm Palo Alto Networks said in a new report analyze several recent samples. “Even more alarming is the effectiveness of BRc4 in defeating modern defensive EDR and AV detection capabilities.”

Brute Ratel a part-time hobby project that became a commercial product

Brute Ratel is developed by Chetan Nayak, also known as Paranoid Ninja, a former detection engineer and Red Team member who lists CrowdStrike and Mandiant as former employers. The project was launched in December 2020 and has slowly increased its features and capabilities. In January, Nayak announced that he had decided to focus full-time on developing the tool and associated training courses and released major version 1.0 in May.

The tool now offers the ability to write command and control channels that use legitimate services such as Slack, Discord, and Microsoft Teams. It can inject shellcode into existing processes and instead use undocumented system calls over normal Windows API calls that are monitored by security software. BRc4 can also perform in-memory execution of various types of code and scripts as well as DLL reflection techniques. It has a GUI for LDAP queries across domains and includes a debugger that detects EDR hooks and avoids triggering their detection.

According to Nayak’s Twitter posts, BRc4 has over 350 customers who have purchased over 480 licenses. A one-year license costs $2,500 and a renewal $2,250. Although it may seem expensive for a freelance penetration tester, the cost is quite affordable for legitimate businesses as well as malicious actors.

Signs of BRc4 misuse

Palo Alto Networks researchers recently discovered a malware sample from May that deployed BRc4 and used packaging and delivery techniques similar to those seen in recent APT29 campaigns. APT29, also known as Cozy Bear, is a threat group believed to be associated with or part of any of the Russian intelligence agencies. He has been responsible for attacks on numerous government agencies over the years, including the attack on the Democratic National Committee in the United States in 2016.

The sample, which was uploaded to VirusTotal by an IP address in Sri Lanka, was named Roshan_CV.iso. An .iso file is an optical disc image – essentially a copy of the file system on an optical disc. Windows can open these files automatically by mounting them to a drive letter and will list the files inside as a directory.

The only non-hidden file in the Roshan_CV sample was called Roshan-Bandara_CV_Dialog.lnk, which had a Word icon to make it look like a Word document. It was actually a windows shortcut file with parameters to run cmd.exe and start a hidden file from the same directory called OneDriveUpdater.exe. This is a legitimate file signed by Microsoft associated with Microsoft OneDrive file synchronization tool.

The reason the attackers used a legitimate file is that this executable looks for and loads another file called Version.dll if placed in the same directory. The attackers provided their own maliciously modified Version.dll file to be executed by the legitimate OneDriveUpdater.exe. This is a technique used by attackers called DLL search order hijacking and can be effective in evading detection because the malicious code is loaded by a legitimate and trusted process.

Another file called vresion.dll (intentionally misspelled) was included in the same directory. This is an exact copy of the legitimate version.dll file and has been included so that the rogue version can pass all legitimate function calls to it to keep the OneDrive process running. On the side, the rogue DLL also decrypted and launched a payload stored in another hidden file called OneDrive.Update. The decrypted payload was actually shellcode which then decrypted the Brute Ratel C4 code in a hard-to-detect way using thousands of push and mov assembly instructions to copy the code while avoiding in-memory detection.

All of these deployment techniques, down to the use of an .iso file with a .lnk inside that performed DLL search order hijacking, were seen in a recent APT29 campaign that distributed a file called Decree.iso.

A code analysis revealed that OneDrive.Update is an almost exact copy of badger_x64.exe, an in-memory component that is part of the Brute Ratel C4 framework. An analysis of the command and control server used by OneDrive.Update revealed connections from three IP addresses in Sri Lanka, suggesting multiple victims in the region. An analysis of another badger_x64.exe sample uploaded to VirusTotal from Ukraine revealed that another C2 server was receiving connections from an Argentinian organization, an IPTV provider providing North and South American content, and of a major textile manufacturer in Mexico.

Server C2 in the second example used a self-signed certificate issued in the name of Microsoft Security. Palo Alto researchers tracked the history of the certificate and determined that it had been used on 41 other IP addresses over the past year.

“These addresses follow a global geographic dispersion and are mostly held by large virtual private server (VPS) hosting providers,” the researchers said. “Expanding our search beyond the two samples discussed above, we also identified seven additional BRc4 samples dating from February 2021.”

Abuse of legitimate security tools is common

Although organizations should certainly be aware that BRc4 is quickly becoming a tool in the arsenal of hacker groups, this does not mean that its creator had malicious intentions or is involved in such activities. In fact, following the Palo Alto Networks report, Nayak said on Twitter that he revoked abused licenses and is ready to provide the authorities with any relevant information.

Many tools that were created by and for security experts for use defensively and in sanctioned red team engagements have become hacker favorites over the years and have been adopted by both APT groups and cybercriminal gangs. Cobalt Strike and Meterpreter implants, Mimikatz credential dump tool; the PsExec remote code execution tool, which is part of Microsoft’s Sysinternals package; and the Empire PowerShell open-source post-exploitation framework are just a few of the more common examples.

That said, the use of such tools, and now BRc4, on networks and systems should at the very least trigger alerts that should be investigated. The Palo Alto Networks report contains indicators of compromise for the identified samples.

Copyright © 2022 IDG Communications, Inc.

Comments are closed.