Brute Ratel-Powered Attacks Detection: Post-Exploitation Toolkit Leveraged by Adversaries

Pentest Tool ‘Brute Ratel C4’

Adversaries adopted yet another legitimate red-teaming simulation tool to evade detection. In replacement of Cobalt Strike and Metasploit’s Meterpreter comes Brute Ratel (aka BRc4) – a red team and adversary simulation software released in late 2020 that does not assist in creating exploits, designed to operate undetected by security solutions.

A single-user one-year license currently costs $2,500, sold only to verified companies. Security engineer named Chetan Nayak, who released the product, claimed that threat actors somehow acquired a leaked software’s license to run attack campaigns.

Detect Brute Ratel-Powered Attacks

To stay protected against Brute Ratel-enabled attacks and timely identify the suspicious activity in your network, where most security software failed to detect it as malicious, utilize a dedicated Sigma rule now available in the Detection as Code platform:

Possible Version.dll Masquerading Attempt (via image_load)

This detection is applicable to 26 SIEM, EDR, and XDR language formats supported by the SOC Prime’s platform and is mapped to the MITRE ATT&CK® framework addressing the Defense Evasion tactic with the Masquerading (T1036) as the corresponding primary technique.

SOC Prime’s team of content developers has released other relevant generic rules that also will come in handy:

Suspicious Execution from Mounted Drive (via process_creation)

Suspicious Execution from ISO File (via process_creation)

Cybersecurity practitioners can access this content item after signing up or logging into SOC Prime’s platform. Press the Detect & Hunt button to access a vast library of detection content. Click the Explore Threat Context button to gain instant access to the list of relevant detection content and exhaustive contextual information available at your fingertips without registration.

Detect & Hunt Explore Threat Context

Brute Ratel Description

Brute Ratel is a C2 framework designed to evade defenses and observation. In simulations of real-life attacks, it is used by red team hackers to deploy badgers on remote hosts. Badgers function similarly to Cobalt Strike beacons and connect to the hackers’ command-and-control server enabling remote code execution. The current version enables users to create command-and-control channels using legitimate tools like Microsoft Teams, Slack, and Discord. It can leverage undocumented syscalls in place of standard Windows API calls to avoid detection and inject shellcode into already running processes. BRc4 features a debugger that recognizes EDR hooks and prevents triggering their detection, as well as a visual interface for LDAP queries across domains. The studied sample was packaged up as a self-contained ISO that included a Windows shortcut (LNK) file, a malicious DLL, and a legitimate copy of Microsoft OneDrive Updater. Upon the execution of the legitimate tool, a malicious payload was dropped via DLL search order hijacking.

Palo Alto Networks’ researchers report that several of the detected attackers’ IPs were traced to Ukraine. The victims were located in Mexico, Argentina, and North America.

To bolster your cyber resilience by staying current with the events pertaining to the cybersecurity industry, follow the SOC Prime blog. Looking for a trustworthy platform to distribute your detection content while promoting collaborative cyber defense? Join SOC Prime’s crowdsourcing program to share your Sigma and YARA rules with the community, drive positive change in cybersecurity, and earn a stable income for your contribution!

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts