Attacker groups adopt new penetration testing tool Brute Ratel

Security researchers have recently identified several attack campaigns that use APT-like targeting techniques and deploy Brute Ratel C4 (BRc4), a relatively new adversary simulation framework.

While hackers abusing penetration testing tools is not a new development -- Cobalt Strike and Metasploit's Meterpreter have been used by threat groups for years -- Brute Ratel is focused on detection evasion techniques, so it might pose a real challenge to defence teams.

"The emergence of a new penetration testing and adversary emulation capability is significant," researchers from security firm Palo Alto Networks said in a new report analysing several recent samples. "Yet more alarming is the effectiveness of BRc4 at defeating modern defensive EDR and AV detection capabilities."

Brute Ratel a part-time hobby project that became a commercial product

Brute Ratel is developed by Chetan Nayak, also known as Paranoid Ninja, a former detection engineer and red teamer who lists CrowdStrike and Mandiant as past employers. The project was launched in December 2020 and slowly grew in features and capabilities.

In January, Nayak announced that he has decided to focus full time developing the tool and associated training courses and released major version 1.0 in May.

The tool now provides the capability to write command-and-control channels that use legitimate services like Slack, Discord and Microsoft Teams. It can inject shellcode into existing processes and use undocumented syscalls instead on normal Windows API calls that are monitored by security software. 

BRc4 can also perform in-memory execution of various types of code and scripts as well as DLL reflection techniques. It has a graphic interface for LDAP queries across domains and includes a debugger that detects EDR hooks and avoids triggering their detection.

According to Nayak's Twitter posts, BRc4 has more than 350 customers who bought more than 480 licenses. A one-year licence costs $2,500 and a renewal $2,250. While this might seem expensive for an independent penetration tester, the cost is quite affordable for both legitimate companies as well as malicious threat actors.

Signs of BRc4 misuse

The Palo Alto Networks researchers recently found a malware sample from May that deployed BRc4 and used packaging and delivery techniques that were similar to those observed in recent APT29 campaigns.

APT29, also known as Cozy Bear, is a threat group believed to be associated with or part of one of Russia's intelligence agencies. It was responsible for attacks against many government agencies over the years, including the attack on the Democratic National Committee in the U.S. in 2016.

The sample, which was uploaded to VirusTotal by an IP in Sri Lanka, was called Roshan_CV.iso. An .iso file is an optical disc image -- essentially a copy of the file system on an optical disc. Windows can open such files automatically by mounting them to a drive letter and will list the files inside like in a directory.

The only non-hidden file in Roshan_CV sample was called Roshan-Bandara_CV_Dialog.lnk, which had a Word icon to seem like it is a Word document. In reality it was a Windows shortcut file with parameters to execute cmd.exe and start a hidden file from the same directory called OneDriveUpdater.exe. This is a legitimate Microsoft-signed file associated with the Microsoft OneDrive file syncing tool.

The reason why the attackers used a legitimate file is because this executable searches for and loads another file called Version.dll if placed in the same directory. 

The attackers provided their own maliciously modified Version.dll file to be executed by the legitimate OneDriveUpdater.exe. This is a technique used by attackers called DLL search order hijacking and can be effective at evading detection because the malicious code is loaded by a legitimate and trusted process.

Another file called vresion.dll (intentionally misspelled) was included in the same directory. This is an exact copy of the legitimate version.dll file and was included so that the rogue version can proxy any legitimate function calls to it to keep the OneDrive process functional. 

On the side, the rogue DLL also decrypted and launched a payload stored inside another hidden file called OneDrive.Update. The decrypted payload was actually shellcode that then decrypted Brute Ratel C4 code in a way that was hard to detect using thousands of push and mov Assembly instructions to copy the code while avoiding in-memory detection.

All these deployment techniques, down to the use of an .iso file with a .lnk inside that performed DLL search order hijacking were observed in a recent APT29 campaign that distributed a file called Decret.iso.

A code analysis revealed that OneDrive.Update was an almost exact copy of badger_x64.exe, an in-memory component that is part of the Brute Ratel C4 framework. An analysis of the command-and-control server used by OneDrive.Update revealed connections from three IP addresses in Sri Lanka, suggesting multiple victims in the region. 

An analysis of another badger_x64.exe sample uploaded to VirusTotal from Ukraine revealed another C2 server that received connections from an Argentinian organisation, an IP television provider providing North and South American content and a major textile manufacturer in Mexico.

The C2 server for the second sample used a self-signed certificate issued to the name Microsoft Security. The Palo Alto researchers tracked the certificate's history and determined it had been used on another 41 IP addresses over the past year.

"These addresses follow a global geographic dispersion and are predominantly owned by large virtual private server (VPS) hosting providers," the researchers said. "Expanding our research beyond the two samples discussed above, we have also identified an additional seven samples of BRc4 dating back to February 2021."

Abuse of legitimate security tools is common

While organisations should certainly be aware that BRc4 is quickly becoming a tool found in the arsenal of hacker groups, it does not mean that its creator had malicious intentions or is involved in these activities. In fact, following Palo Alto Networks' report, Nayak said on Twitter that he revoked the misused licenses and is ready to provide authorities with any relevant information.

Many tools that have been created by and for security experts to be used in a defensive manner and in sanctioned red teaming engagements have become hacker favourites over the years and have been adopted by both APT groups and cybercriminals gangs. 

The Cobalt Strike and Meterpreter implants, the Mimikatz credential dumping tool; the PsExec remote code execution tool, which is part of Microsoft's Sysinternals package; and the open-source PowerShell Empire post-exploitation framework are just some of the most common examples.

That said, the use of such tools, and now BRc4, on networks and systems should at the very least raise alerts that should be investigated. The Palo Alto Networks report contains indicators of compromise for the identified samples.