Threat actors have cracked the Brute Ratel C4 (BRC4) post-exploitation toolkit and leaked it for free in the cybercrime underground. The availability of the cracked version of the tool was first reported by the cybersecurity researcher Will Thomas (@BushidoToken),
Unlike Cobalt strike beacons, BRc4 payloads are less popular, but with similar capabilities. The tool was specifically designed to avoid detection by security solutions such as endpoint detection and response (EDR) and antivirus (AV). Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.
“Brute Ratel is the most advanced Red Team & Adversary Simulation Software in the current C2 Market. It can not only emulate different stages of an attacker killchain, but also provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms.” reads the description of the tool on its website. “Brute Ratel comes prebuilt with several opsOpec features which can ease a Red Team’s task to focus more on the analytical part of an engagement instead of focusing or depending on Open source tools for post-exploitation. Brute Ratel is a post-exploitation C2 in the end and however does not provide exploit generation features like metasploit or vulnerability scanning features like Nessus, Acunetix or BurpSuite.”
In June, researchers from Palo Alto Networks Unit 42 warned that threat actors are abusing legitimate adversary simulation software BRc4 in their campaigns to evade detection.
Thomas is warning that a cracked copy of Brute Ratel is now circulating on multiple underground forums.
On 13 September 2022, an archive file called “bruteratel_1.2.2.Scandinavian_Defense.tar.gz” was uploaded to VirusTotal. This file contains a valid copy of BRC4 version 1.2.2/5.
Two weeks later, on 28 September, the author of BRC4, Chetan Nayak, confirmed the leak of the tool by MdSec, he blamed a Russian-speaking group known as Molecules for the leak of the cracked copy.
“This means that with the right instructions, the cracked tool can now be run without the activation key that is required to launch the full software and use its features.” wrote Thomas. “There are now multiple posts on multiple of the most populated cybercrime forums where data brokers, malware developers, initial access brokers, and ransomware affiliates all hang out. This includes BreachForums, CryptBB, RAMP, Exploit[.]in, and Xss[.]is, as well as various Telegram and Discord groups. Threat actors connected to various organized cybercrime groups have expressed interest in the leak of the new tool.”
Searching for active threads on hacking forums like XSS it is already possible to find the cracked version of Brute Ratel C4 version 1.2.2.
The availability of the tool in the wild is very concerning because the post-exploitation tool can generate shellcode that is undetected by many EDR and AV products.
“This extended window of detection evasion can give threat actors enough time to establish initial access, begin lateral movement, and achieve persistence elsewhere. Due to its evasive generation of new payloads it renders stopping Brute Ratel by the traditional blocking of Indicators of Compromise (IOCs) inadequate. It is recommended that defenders use behaviour-based detection opportunities to thwart attacks, like the ones outlined in MdSec’s blog (see here).” concludes Thomas. “Overall, enterprises and public sector organizations must recognize the imminent threat of the proliferation of this tool. Its capabilities closely align with the objectives of ransomware groups that are already highly active and looking for new windows of opportunity.”
(SecurityAffairs – hacking, Brute Ratel)