Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Hackers Using ‘Brute Ratel C4’ Red-Teaming Tool to Evade Detection

The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool has been used by nation-state attackers to evade detection, according to security researchers at Palo Alto Networks.

The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool has been used by nation-state attackers to evade detection, according to security researchers at Palo Alto Networks.

Released in December 2020, BRc4 provides a level of sophistication similar to that of Cobalt Strike and has been specifically designed to evade detection by security solutions. The tool is currently sold for $2,500 for a one-year, single user license.

BRc4’s effectiveness in evading detection, the researchers say, was recently proven by the fact that a sample submitted to VirusTotal in May was not seen as malicious by any of the AV engines used by the malware scanning service.

The sample was a self-contained ISO containing a shortcut (LNK) file, a malicious DLL, and a copy of the Microsoft OneDrive Updater. When the legitimate tool was executed, DLL order hijacking was employed to load the malicious payload.

The packaging technique, Palo Alto Networks says, is consistent with recent attacks attributed to Russian state-sponsored hacking group Cozy Bear (APT29), which has been abusing known cloud storage and online collaboration applications.

When executed, the malicious DLL, which is a modified version of a legitimate Microsoft file, uses undocumented Windows NTAPI calls for process injection to execute a payload within the Runtimebroker.exe memory space.

The payload uses multiple push and mov instructions to copy the Brute Ratel C4 code and reassemble it into memory for execution. A second sample using the same instructions also had a low detection rate in VirusTotal, with some AVs currently classifying it as “Brutel.”

Palo Alto Networks’ researchers identified an Amazon AWS-hosted IP address that communicates with Brute Ratel C4, and also observed several connections from a Ukrainian IP that was likely used to administer the command and control (C&C) infrastructure.

Furthermore, the researchers identified several potential victims, including an organization in Argentina, an IP television provider of North and South American content, and a textile manufacturer in Mexico.

“Given the geographic dispersion of these victims, the upstream connection to a Ukrainian IP and several other factors, we believe it is highly unlikely that BRc4 was deployed in support of legitimate and sanctioned penetration testing activities,” the researchers note.

Palo Alto Networks says it identified an additional seven BRc4 samples, dating back to February 2021, urging security vendors to update their tools to detect the threat and encouraging organizations to take proactive measures to mitigate the risk posed by BRc4.

Related: Threat Actors Exploiting Confluence Server Vulnerability

Related: Russia’s APT29 Delivering Malware Used in COVID-19 Vaccine Spying

Related: Defending Your Business Against Russian Cyberwarfare

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).