Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival Brute Ratel Pen Test Tool

  /     /     /  
Publicated : 23/11/2024   Category : security


Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival Brute Ratel Pen Test Tool


The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.



In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).
BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, its an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework thats not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.
A
report
from Palo Alto Networks Unit 42 research team found evidence of attackers subverting Brute Ratels free licensing protections and utilizing the tool to run criminal attack campaigns.
The infrastructure they uncovered is extensive, researchers noted.
In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443, they explained. Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of Microsoft and organization unit of Security.
Pivoting on the certificate and other artifacts, we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far, they added.
Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.
Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking, the report explained.
This technique of using legitimate tools and native utilities is known as living off the land, and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.
Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.
We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads, the Cyble researchers
wrote
. Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder.
Tools like Cobalt Strike and BRc4 arent purely living-off-the-land approaches, since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling, explains Tim McGuffin, director of adversarial engineering at LARES Consulting.
However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because theyre otherwise viewed as legitimate software.
Brute Ratel is an otherwise legitimate tool that might be present in victim networks, explains John Bambenek, principal threat hunter at Netenrich. Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do.
This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.
According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, its no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.
Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes, Righi says.
According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldnt get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.
An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is
Microsofts Attack Surface Reduction
Application Allow-listing guidance, he says. The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival Brute Ratel Pen Test Tool