The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool has been used by nation-state attackers to evade detection, according to security researchers at Palo Alto Networks.
Released in December 2020, BRc4 provides a level of sophistication similar to that of Cobalt Strike and has been specifically designed to evade detection by security solutions. The tool is currently sold for $2,500 for a one-year, single user license.
BRc4’s effectiveness in evading detection, the researchers say, was recently proven by the fact that a sample submitted to VirusTotal in May was not seen as malicious by any of the AV engines used by the malware scanning service.
The sample was a self-contained ISO containing a shortcut (LNK) file, a malicious DLL, and a copy of the Microsoft OneDrive Updater. When the legitimate tool was executed, DLL order hijacking was employed to load the malicious payload.
The packaging technique, Palo Alto Networks says, is consistent with recent attacks attributed to Russian state-sponsored hacking group Cozy Bear (APT29), which has been abusing known cloud storage and online collaboration applications.
When executed, the malicious DLL, which is a modified version of a legitimate Microsoft file, uses undocumented Windows NTAPI calls for process injection to execute a payload within the Runtimebroker.exe memory space.
The payload uses multiple push and mov instructions to copy the Brute Ratel C4 code and reassemble it into memory for execution. A second sample using the same instructions also had a low detection rate in VirusTotal, with some AVs currently classifying it as “Brutel.”
Palo Alto Networks’ researchers identified an Amazon AWS-hosted IP address that communicates with Brute Ratel C4, and also observed several connections from a Ukrainian IP that was likely used to administer the command and control (C&C) infrastructure.
Furthermore, the researchers identified several potential victims, including an organization in Argentina, an IP television provider of North and South American content, and a textile manufacturer in Mexico.
“Given the geographic dispersion of these victims, the upstream connection to a Ukrainian IP and several other factors, we believe it is highly unlikely that BRc4 was deployed in support of legitimate and sanctioned penetration testing activities,” the researchers note.
Palo Alto Networks says it identified an additional seven BRc4 samples, dating back to February 2021, urging security vendors to update their tools to detect the threat and encouraging organizations to take proactive measures to mitigate the risk posed by BRc4.