Threat actors exchange beacons for badgers to evade endpoint security

Unidentified cyber threat actors have started using Brute Ratel C4 (BRc4), an adversary simulation tool similar to Cobalt Strike, to try to avoid detection by endpoint security solutions and gain a foothold on target networks, Palo Alto Networks researchers have found.

Their line of attack is apparently successful, as one of the files delivering the Brute Ratel C4 “badger” – a payload for remote access similar to Cobalt Strike’s Beacon – has initially not been flagged as malicious by security tools leveraged by VirusTotal.

Malicious files delivering Brute Ratel payloads

The first file the researchers analyzed was an ISO file pretending to contain a CV and was uploaded to VirusTotal on May 19, 2022, from Sri Lanka.

If the potential victim double-clicks the ISO file and tries then to open a shortcut (LNK) file posing as a Word file, the following happens:

1. Command Prompt (cmd.exe) is launched, which launches
2. OneDriveUpdater.exe, a non-malicious Microsoft tool that is used to synchronize data from a local machine to the cloud, but which in this case also loads
3. Version.dll, a modified file that loads an encrypted payload file, OneDrive.update

“The modification decrypts the file and in-memory loads the first stage of shellcode. To maintain code capabilities, the actors use DLL API proxying to forward requests to the legitimate version.dll named vresion.dll. Vresion.dll is a dependency file of the actor’s version.dll and will be loaded with the actor’s version.dll,” researchers Mike Harbison and Peter Renals explained.

“The in-memory code, that is Brute Ratel C4, executes as a Windows thread in the RuntimeBroker.exe process space and begins to communicate with IP 174.129.157[.]251 on TCP port 443.”

All the files except the LNK one are hidden from the users’ view, as is the final delivery of the Brute Ratel C4 “badger” payload (OneDrive.update).

The researchers found another similar malicious file uploaded to VirusTotal, named badger_x64.exe.

“When uploaded to VirusTotal, only two out of 66 vendors considered the sample malicious. Currently, 12 vendors identify the sample as malicious with eight classifying this sample as ‘Brutel,’ further supporting that our in-memory code is somehow associated with that of Brute Ratel C4,” the researchers shared.

This second sample contacted another IP address (159.65.186[.]50 on port 443), and additional connections to it allowed the researchers to identify several suspected victim organizations in North and South America.

Both of the IP addresses the samples contacted used the same self-signed SSL certificate impersonating Microsoft Security, and it led them to 41 more IP addresses and additional seven samples of BRc4 dating back to February 2021.

A good tool in the wrong hands

The aforementioned ISO file has many similarities to how APT29 (aka Cozy Bear) packages ISO files to target their victims, leading the researchers to suspect they might be using BRc4 to create their malicious payloads – though this piece of information alone is definitely not a smoking gun.

Comments by threat researchers following the publication of the report point to ransomware gangs being interested in using the Brute Ratel tool and even creating fake US companies to be able to buy licenses for using it.

Chetan Nayak, Brute Ratel’s creator, says that, in this case, it’s not ransomware gangs:

Despite the creator going through a vetting process to make sure he’s selling the tool to ethical pentesters and red-teamers, sooner or later Brute Ratel licenses are bound to end up in the wrong hands.

“Brute Ratel is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities,” the researchers noted, and urged security vendors to create protections to detect activity from this tool and organizations to take proactive measures to defend against it. To help, they shared IoCs and file samples.

Don't miss