Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.
Corporate cybersecurity teams commonly consist of employees who attempt to breach corporate networks (red team) and those who actively defend against them (blue team). Both teams then share notes after engagements to strengthen the cybersecurity defenses of a network.
For years, one of the most popular tools in red team engagements has been Cobalt Strike, a toolkit allowing attackers to deploy "beacons" on compromised devices to perform remote network surveillance or execute commands.
While Cobalt Strike is legitimate software, threat actors have been sharing cracked versions online, making it one of the most popular tools used by hackers and ransomware operations to spread laterally through breached corporate networks.
Hackers switch to Brute Ratel
In 2020, Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike, released Brute Ratel Command and Control Center (BRc4) as an alternative to Cobalt Strike for red team penetration testing engagements.
Like Cobalt Strike, Brute Ratel is an adversarial attack simulation tool that allows red teamers to deploy 'Badgers' (similar to beacons in Cobalt Strike) on remote hosts. These badgers connect back to the attacker's Command and Control server to receive commands to execute or transmit the output of previously run commands.
In a new report by Palo Alto Unit 42, researchers have spotted threat actors moving away from Cobalt Strike to using Brute Ratel as their post-exploitation toolkit of choice.
This change in tactics is significant as BRc4 is designed to evade detection by EDR and antivirus solutions, with almost all security software not detecting it as malicious when first spotted in the wild.
"While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated," explains Unit 42's report.
"Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal."
In attacks suspected to be linked to the Russian state-sponsored hacking group APT29 (aka CozyBear and Dukes), threat actors distribute malicious ISOs that allegedly contain a submitted résumé (CV).
Source: BleepingComputer
However, the 'Roshan-Bandara_CV_Dialog' résumé file is actually a Windows shortcut that will launch the bundled OneDriveUpdater.exe file, as shown in the file's properties below.
Source: BleepingComputer
While OneDriveUpdater.exe is a legitimate Microsoft executable, the included version.dll that is loaded by the program has been modified to act as a loader for a Brute Ratel badger, which is loaded into the RuntimeBroker.exe process.
Once the Brute Ratel badger is loaded, the threat actors can remotely access the compromised device to execute commands and spread further in the now-breached network.
Ransomware gangs get in on the action
Brute Ratel currently costs $2,500 per user for a one-year license, with customers required to provide a business email address and be verified before a license is issued.
"But due to the nature of the software, we only sell the product to registered companies and individuals with an official business e-mail address/Domain after verifying the business and the person's work history," explains the Brute Ratel pricing page.
As this is a manual verification process, it raises the question of how the threat actors receive software licenses.
Brute Ratel developer Chetan Nayak told BleepingComputer that the license used in attacks reported by Unit 42 was leaked by a disgruntled employee of one of his customers.
As payloads allow Nayak to see who they are licensed to, he was able to identify and revoke the license.
However, according to AdvIntel CEO Vitali Kremez, ex-Conti ransomware members have also started to acquire licenses by creating fake US companies to pass the licensing verification system.
"The criminals behind the former Conti ransomware operations explored multiple penetration testing kits beyond usage of Cobalt Strike," Kremez told BleepingComputer in a conversation.
"In one particular case, they have gained access to the Brute Ratel kit that was used for post-exploitation in targeted attacks from BumbleBee loader. The ultimate goal of the Brute Ratel usage was post-exploitation framework for lateral movement and subsequent network encryption via ransomware payload."
"To get access to the Brute Ratel licenses, the threat actors create fake US companies which are used as part of the verification process."
BleepingComputer reached out to Brute Ratel's creator, Chetan Nayak, with questions regarding the verification process but has not heard back.
Comments
EndangeredPootisBird - 1 year ago
If you think about it, the penetration testing vendors are the biggest enemy in the cybersecurity field, as they are who allowed cybergroups to reach the complexity they are currently at.
IMO they should be held responsible for the damage they have caused by helping cybercriminals.
TsVk! - 1 year ago
That's an asinine understanding of the industry. Who will the blue team practice hardening their networks with if not for the red team? Who will help secure us if we don't have friends who behave like bad actors and let us know where we are going wrong and what we need to do? You can be sure that criminal groups won't be sending us notes explaining how they pwned our networks and systems.
EndangeredPootisBird - 1 year ago
Except you dont need any of that if you just employ Zero Trust across the endpoints, clouds, identities, etc, and use vulnerability/patch management and an password manager for all employees.
asdadawdw - 1 year ago
<p>lmao , you are clueless ! .... that ain't practical for real life employees .... who are you kidding ... you think they can work with that !</p>
Skiddywinks - 1 year ago
The reality is that Cobalt Strike is not exactly an unknown entity at this point. It is easily picked up by AV, and that was the intent; Raphael Mudge made it incredibly flexible, but pretty basic as standard. The default C2 profiles and Beacon payload itself are not exactly stealthy. The onus is on the operator of a red team engagement to test the specific case of their customer/employer. That involves changing the traffic profile, modifying the payload, obfuscation, etc. All the good stuff is still left to the operator. In that regard, Cobalt Strike does make the actual management of an engagement easier, but it's not brilliant without the underpinning knowledge.
People getting hit by CS Beacons should honestly not be missing them. Besides, attackers still need to get access to the machines in the first place to deploy the beacon. It is a very convenient tool for what it does, but even if it disappeared from existance right now, it wouldn't make much of a different to the threat landscape. Obviously, if a lot of work has gone in to anti-virus evasion, then that's a bit of a different matter, but in those case the attacker knows more than they need to make do without Beacon anyway.