TNS
VOXPOP
Will JavaScript type annotations kill TypeScript?
The creators of Svelte and Turbo 8 both dropped TS recently saying that "it's not worth it".
Yes: If JavaScript gets type annotations then there's no reason for TypeScript to exist.
0%
No: TypeScript remains the best language for structuring large enterprise applications.
0%
TBD: The existing user base and its corpensource owner means that TypeScript isn’t likely to reach EOL without a putting up a fight.
0%
I hope they both die. I mean, if you really need strong types in the browser then you could leverage WASM and use a real programming language.
0%
I don’t know and I don’t care.
0%
Security / Software Development

Brute Ratel C4: When PenTests Go Bad

The Palo Alto Networks (PANW) Unit 42 threat research team recently found a malware file in VirusTotal, the community site for suspicious files, domains, IPs, and URLs. This one contained a malicious payload associated with Brute Ratel C4 (BRc4), the latest red-team and adversarial attack simulation tool.
Jul 11th, 2022 7:37am by
Featued image for: Brute Ratel C4: When PenTests Go Bad
Featured image by ThisisEngineering RAEng on Unsplash.

The Palo Alto Networks (PANW) Unit 42 threat research team was quietly going about their business when they spotted yet another malware file in VirusTotal, the community site for suspicious files, domains, IPs and URLs. This one had gotten a benign verdict from all 56 vendors that evaluated it. They looked closer and found it was far from benign. Indeed, it contained a malicious payload associated with Brute Ratel C4 (BRc4), the latest red-team and adversarial attack simulation tool.

Although they say “simulation,” it actually can be used to — surprise! — attack systems. I know you’re shocked by this.

Customizable Command and Control

BRc4 has been around since late 2020. It’s a highly customizable command and control infrastructure (C2) framework. It does not, its makers claim, include exploit-generation features like Metasploit does or vulnerability-scanning features like Nessus, Acunetix or Burp Suite.

It does, however, have numerous good features. These include the capability to write command-and-control channels that use services like Slack, Discord and Microsoft Teams. It can also inject shellcode into existing processes and use undocumented syscalls instead of normal Windows API calls. Brute Ratel can also perform in-memory programs and script execution. It has a debugger that detects EDR hooks and avoids triggering their detection.

Good for Some, Not All

In short, it’s very good at its job. But that also means, as PANW states, “This tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.” And, given that so many EDR and AV vendors thought its payload was OK, clearly it is good at this.

And, while that’s good for security pros and red teams, it’s not so good for companies that just want to trust their EDR and AV tools will keep them safe. We should be so lucky.

Does this ring a bell? Does the name Cobalt Strike sound familiar? It should. It’s another C2 framework that already has quite a reputation for being hacked and then misused by attackers. Now, it’s the stealthier BRc4’s turn.

Genie in a Bottle

Brute Ratel’s creator Chetan Nayak, aka Paranoid Ninja, a former detection engineer and red teamer for CrowdStrike and Mandiant, immediately revoked the program’s licenses. But it’s hard to stuff a security genie back into the bottle.

That’s especially true when it appears that APT 29, aka Cozy Bear, the Russian hacker group, is behind the BRc4-empowered attacks. So far, PANW has identified 41 malicious IP addresses associated with the C2, six BRc4 samples and an additional three organizations across North and South America that have been impacted by this tool.

We’ll probably see lots more such attacks. In its May release, Brute Ratel v0.9.0 (Checkmate), it included functionality such as “reverse engineering several top tier EDR and Antivirus DLLs.” Silent and deadly. Since then, an even newer version, Brute Ratel v1.0 (Sicilian Defense), has been released.

Now, Its Features Include (Deep Breath)

In terms of features, BRc4 advertises the following capabilities:

  • SMB and TCP payloads that provide the functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
  • Built-in debugger to detect EDR userland hooks.
  • Ability to keep memory artifacts hidden from EDRs and AV.
  • Direct Windows SYS calls on the fly.
  • Egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP.
  • LDAP Sentinel, which provides a rich GUI interface to query various LDAP queries to the domain or a forest.
  • Multiple command and control channels — multiple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.
  • Take screenshots.
  • x64 shellcode loader.
  • Reflective and object file loader.
  • Decoding KRB5 ticket and converting it to hashcat.
  • Patching event tracing for Windows (ETW).
  • Patching Anti Malware Scan Interface (AMSI).
  • Create Windows system services.
  • Upload and download files.
  • Create files via CreateFileTransacted.
  • Port scan.

It really is impressive.

What You Can Do

So what can you do to block it when it’s used maliciously? Well, PANW, of course, urges you to defend yourself with its threat prevention, Cortex XDR and WildFire malware analysis. But the company also encourages “all security vendors to create protections to detect activity from this tool and all organizations to be on alert for activity from this tool.”

This is a big deal. Encourage your security providers to follow up on this. You don’t want to see your systems compromised by this tool. You might not know that you’ve been hacked for months.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Unit.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.