Connect with us

Hi, what are you looking for?


Network Security

Hackers Using ‘Brute Ratel C4’ Red-Teaming Tool to Evade Detection

The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool has been used by nation-state attackers to evade detection, according to security researchers at Palo Alto Networks.

The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool has been used by nation-state attackers to evade detection, according to security researchers at Palo Alto Networks.

Released in December 2020, BRc4 provides a level of sophistication similar to that of Cobalt Strike and has been specifically designed to evade detection by security solutions. The tool is currently sold for $2,500 for a one-year, single user license.

BRc4’s effectiveness in evading detection, the researchers say, was recently proven by the fact that a sample submitted to VirusTotal in May was not seen as malicious by any of the AV engines used by the malware scanning service.

The sample was a self-contained ISO containing a shortcut (LNK) file, a malicious DLL, and a copy of the Microsoft OneDrive Updater. When the legitimate tool was executed, DLL order hijacking was employed to load the malicious payload.

The packaging technique, Palo Alto Networks says, is consistent with recent attacks attributed to Russian state-sponsored hacking group Cozy Bear (APT29), which has been abusing known cloud storage and online collaboration applications.

When executed, the malicious DLL, which is a modified version of a legitimate Microsoft file, uses undocumented Windows NTAPI calls for process injection to execute a payload within the Runtimebroker.exe memory space.

The payload uses multiple push and mov instructions to copy the Brute Ratel C4 code and reassemble it into memory for execution. A second sample using the same instructions also had a low detection rate in VirusTotal, with some AVs currently classifying it as “Brutel.”

Advertisement. Scroll to continue reading.

Palo Alto Networks’ researchers identified an Amazon AWS-hosted IP address that communicates with Brute Ratel C4, and also observed several connections from a Ukrainian IP that was likely used to administer the command and control (C&C) infrastructure.

Furthermore, the researchers identified several potential victims, including an organization in Argentina, an IP television provider of North and South American content, and a textile manufacturer in Mexico.

“Given the geographic dispersion of these victims, the upstream connection to a Ukrainian IP and several other factors, we believe it is highly unlikely that BRc4 was deployed in support of legitimate and sanctioned penetration testing activities,” the researchers note.

Palo Alto Networks says it identified an additional seven BRc4 samples, dating back to February 2021, urging security vendors to update their tools to detect the threat and encouraging organizations to take proactive measures to mitigate the risk posed by BRc4.

Related: Threat Actors Exploiting Confluence Server Vulnerability

Related: Russia’s APT29 Delivering Malware Used in COVID-19 Vaccine Spying

Related: Defending Your Business Against Russian Cyberwarfare

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...