Adversaries adopted yet another legitimate red-teaming simulation tool to evade detection. In replacement of Cobalt Strike and Metasploit’s Meterpreter comes Brute Ratel (aka BRc4) – a red team and adversary simulation software released in late 2020 that does not assist in creating exploits, designed to operate undetected by security solutions.
A single-user one-year license currently costs $2,500, sold only to verified companies. Security engineer named Chetan Nayak, who released the product, claimed that threat actors somehow acquired a leaked software’s license to run attack campaigns.
To stay protected against Brute Ratel-enabled attacks and timely identify the suspicious activity in your network, where most security software failed to detect it as malicious, utilize a dedicated Sigma rule now available in the Detection as Code platform:
This detection is applicable to 26 SIEM, EDR, and XDR language formats supported by the SOC Prime’s platform and is mapped to the MITRE ATT&CK® framework addressing the Defense Evasion tactic with the Masquerading (T1036) as the corresponding primary technique.
SOC Prime’s team of content developers has released other relevant generic rules that also will come in handy:
Cybersecurity practitioners can access this content item after signing up or logging into SOC Prime’s platform. Press the Detect & Hunt button to access a vast library of detection content. Click the Explore Threat Context button to gain instant access to the list of relevant detection content and exhaustive contextual information available at your fingertips without registration.
Brute Ratel is a C2 framework designed to evade defenses and observation. In simulations of real-life attacks, it is used by red team hackers to deploy badgers on remote hosts. Badgers function similarly to Cobalt Strike beacons and connect to the hackers’ command-and-control server enabling remote code execution. The current version enables users to create command-and-control channels using legitimate tools like Microsoft Teams, Slack, and Discord. It can leverage undocumented syscalls in place of standard Windows API calls to avoid detection and inject shellcode into already running processes. BRc4 features a debugger that recognizes EDR hooks and prevents triggering their detection, as well as a visual interface for LDAP queries across domains. The studied sample was packaged up as a self-contained ISO that included a Windows shortcut (LNK) file, a malicious DLL, and a legitimate copy of Microsoft OneDrive Updater. Upon the execution of the legitimate tool, a malicious payload was dropped via DLL search order hijacking.
Palo Alto Networks’ researchers report that several of the detected attackers’ IPs were traced to Ukraine. The victims were located in Mexico, Argentina, and North America.
To bolster your cyber resilience by staying current with the events pertaining to the cybersecurity industry, follow the SOC Prime blog. Looking for a trustworthy platform to distribute your detection content while promoting collaborative cyber defense? Join SOC Prime’s crowdsourcing program to share your Sigma and YARA rules with the community, drive positive change in cybersecurity, and earn a stable income for your contribution!