Ransomware, hacking groups move from Cobalt Strike to Brute Ratel

Ransomware hacking groups

Hacker groups and ransomware operations are moving from Cobalt Strike to the new post-exploit toolkit, Brute Ratel, to evade detection by EDR and antivirus solutions.

Corporate cybersecurity teams typically consist of individuals who attempt to breach corporate networks (red team) and those who actively resist (blue team). The two teams then exchange notes after their deployments to bolster a network’s cybersecurity defenses.

For years, one of the most popular tools in red team operations has been Cobalt Strike, a toolkit that allows attackers to deploy “beacons” on compromised devices to perform network surveillance at remotely or execute commands.

While Cobalt Strike is legitimate software, threat actors have been sharing cracked versions online, making it one of the most popular tools used by hackers and ransomware operations to spread laterally through breached corporate networks.

Hackers switch to Brute Ratel

In 2020, Chetan Nayak, a former Mandiant and CrowdStrike red teamer, released Brute Ratel Command and Control Center (BRc4) as an alternative to Cobalt Strike for penetration testing for red teams.

Like Cobalt Strike, Brute Ratel is an enemy attack simulation tool that allows Red Teamers to deploy “Badgers” (similar to beacons in Cobalt Strike) on remote hosts. These rates reconnect to the attacker’s command and control server to receive commands to execute or send the output of previously executed commands.

In a new report from Unit 42 in Palo Alto, researchers saw reported threat actors walk away from Cobalt Strike and use Brute Ratel as their preferred post-exploit toolkit.

This tactical change is significant because BRc4 is designed to evade detection by EDR and antivirus solutions, with nearly all security software failing to detect it as malicious when first detected in the wild. “While this ability has managed to stay out of the limelight and is less well known than its Cobalt Strike brethren, it is no less sophisticated for that,” she explains Unit 42’s report.

“Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.”

In attacks suspected to be linked to the Russian state-sponsored hacking group APT29 (aka CozyBear and Dukes), threat actors distribute malicious ISOs that allegedly contain a submitted résumé (CV).

Contents of the malicious ISO file
Contents of the malicious ISO file
Source: BleepingComputer

However, the ‘Roshan-Bandara_CV_Dialog’ résumé file is actually a Windows shortcut that will launch the bundled OneDriveUpdater.exe file, as shown in the file’s properties below.

Windows shortcut disguised as CV to launch a program
Windows shortcut disguised as CV to launch a program
Source: BleepingComputer

While OneDriveUpdater.exe is a legitimate Microsoft executable, the included version.dll that is loaded by the program has been modified to act as a loader for a Brute Ratel badger, which is loaded into the RuntimeBroker.exe process.

Once the Brute Ratel badger is loaded, the threat actors can remotely access the compromised device to execute commands and spread further in the now-breached network.

Ransomware gangs get in on the action

Brute Ratel currently costs $2,500 per user for a one-year license. Customers must provide their business email address and verify the license before issuing a license.

As Brute Ratel explains on its pricing page, “However, due to the nature of the software, we only sell our products to registered companies and individuals who have an official email address/domain after verifying their work history.” Since this is a manual validation process, it begs the question of how threat actors obtain software licenses.

Brutal Ratel developer Chetan Nayak told BleepingComputer that the license used in the reported Section 42 attack was leaked by an employee of a disgruntled customer. The payload allows Nayak to determine who owns the license, allowing Nayak to identify and retrieve the license.

However, according to AdvIntel CEO Vitaly Kremes, former members of the Conti ransomware began obtaining licenses by creating fake US companies to bypass the license verification system. In an interview with BleepingComputer, Kremes told BleepingComputer: “The criminals behind the previous Conti ransomware operations explored multiple penetration testing suites in addition to Cobalt Strike.

“In one case, we received a Brute Ratel kit used for post-targeted attacks on BumbleBee bootloaders. The ultimate purpose of using Brute Ratel was a post-exploit framework for lateral traffic and subsequent network encryption using ransomware payloads.

“To access the Brute Ratel license, threat actors create fake US companies that are used as part of the validation process.”

Leave a Reply

Your email address will not be published. Required fields are marked *