Security / Software Development / Technology

Brute Ratel C4: When PenTests Go Bad

11 Jul 2022 7:37am, by

The Palo Alto Networks (PANW) Unit 42 threat research team was quietly going about their business when they spotted yet another malware file in VirusTotal, the community site for suspicious files, domains, IPs and URLs. This one had gotten a benign verdict from all 56 vendors that evaluated it. They looked closer and found it was far from benign. Indeed, it contained a malicious payload associated with Brute Ratel C4 (BRc4), the latest red-team and adversarial attack simulation tool.

Although they say “simulation,” it actually can be used to — surprise! — attack systems. I know you’re shocked by this.

Customizable Command and Control

BRc4 has been around since late 2020. It’s a highly customizable command and control infrastructure (C2) framework. It does not, its makers claim, include exploit-generation features like Metasploit does or vulnerability-scanning features like Nessus, Acunetix or Burp Suite.

It does, however, have numerous good features. These include the capability to write command-and-control channels that use services like Slack, Discord and Microsoft Teams. It can also inject shellcode into existing processes and use undocumented syscalls instead of normal Windows API calls. Brute Ratel can also perform in-memory programs and script execution. It has a debugger that detects EDR hooks and avoids triggering their detection.

Good for Some, Not All

In short, it’s very good at its job. But that also means, as PANW states, “This tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.” And, given that so many EDR and AV vendors thought its payload was OK, clearly it is good at this.

And, while that’s good for security pros and red teams, it’s not so good for companies that just want to trust their EDR and AV tools will keep them safe. We should be so lucky.

Does this ring a bell? Does the name Cobalt Strike sound familiar? It should. It’s another C2 framework that already has quite a reputation for being hacked and then misused by attackers. Now, it’s the stealthier BRc4’s turn.

Genie in a Bottle

Brute Ratel’s creator Chetan Nayak, aka Paranoid Ninja, a former detection engineer and red teamer for CrowdStrike and Mandiant, immediately revoked the program’s licenses. But it’s hard to stuff a security genie back into the bottle.

That’s especially true when it appears that APT 29, aka Cozy Bear, the Russian hacker group, is behind the BRc4-empowered attacks. So far, PANW has identified 41 malicious IP addresses associated with the C2, six BRc4 samples and an additional three organizations across North and South America that have been impacted by this tool.

We’ll probably see lots more such attacks. In its May release, Brute Ratel v0.9.0 (Checkmate), it included functionality such as “reverse engineering several top tier EDR and Antivirus DLLs.” Silent and deadly. Since then, an even newer version, Brute Ratel v1.0 (Sicilian Defense), has been released.

Now, Its Features Include (Deep Breath)

In terms of features, BRc4 advertises the following capabilities:

  • SMB and TCP payloads that provide the functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
  • Built-in debugger to detect EDR userland hooks.
  • Ability to keep memory artifacts hidden from EDRs and AV.
  • Direct Windows SYS calls on the fly.
  • Egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP.
  • LDAP Sentinel, which provides a rich GUI interface to query various LDAP queries to the domain or a forest.
  • Multiple command and control channels — multiple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.
  • Take screenshots.
  • x64 shellcode loader.
  • Reflective and object file loader.
  • Decoding KRB5 ticket and converting it to hashcat.
  • Patching event tracing for Windows (ETW).
  • Patching Anti Malware Scan Interface (AMSI).
  • Create Windows system services.
  • Upload and download files.
  • Create files via CreateFileTransacted.
  • Port scan.

It really is impressive.

What You Can Do

So what can you do to block it when it’s used maliciously? Well, PANW, of course, urges you to defend yourself with its threat prevention, Cortex XDR and WildFire malware analysis. But the company also encourages “all security vendors to create protections to detect activity from this tool and all organizations to be on alert for activity from this tool.”

This is a big deal. Encourage your security providers to follow up on this. You don’t want to see your systems compromised by this tool. You might not know that you’ve been hacked for months.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Unit.

Featured image by ThisisEngineering RAEng on Unsplash.