Unit 42, the research division of Palo Alto Networks, is constantly on the lookout for new and unique malware samples. In the spring of 2022, one such sample was uploaded to VirusTotal, where all 56 vendors who evaluated it rated it as benign. However, the sample contained malicious code associated with, the latest red-teaming and attack simulation tool on the market.
Although the Brute Ratel C4 (BRc4) feature is not in the spotlight and is less known than its Cobalt Strike counterparts, it is no less sophisticated. Rather, this tool is particularly dangerous in that it is specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) functions. How effective it is in doing so is clearly demonstrated by the aforementioned lack of detection by various vendors on VirusTotal.
In terms of C2, the researchers noted that the sample accessed an Amazon Web Services (AWS) IP address in the U.S. via port 443. In addition, the X.509 certificate on the intercepting port was configured to impersonate Microsoft with the organizational name “Microsoft” and the organizational unit “Security.” Using the certificate and other artifacts, the researchers were able to identify a total of 41 compromised IP addresses, nine BRc4 samples, and three additional companies in the Americas that had previously been affected by this tool.
This unique sample was packaged in a manner consistent with known techniques used by the hacker group APT29 and their recent campaigns that leverage known cloud storage and online collaboration applications. Notably, the sample was packaged as a standalone ISO file. The ISO contained a Windows shortcut file (LNK), a potentially dangerous DLL, and a legitimate copy of Microsoft OneDrive Updater.
Attempting to run the benign application from the folder included in the ISO resulted in the malicious code being loaded, through a technique known as DLL search order hijacking. While the “packaging techniques” alone are not enough to clearly attribute this sample to APT29, these techniques do show that users of the tool are now using new methods to deploy BRc4.
Overall, the researchers believe this research is significant because it not only identifies a new Red Team capability that remains largely undetected by most cybersecurity vendors. More importantly, it demonstrates that a growing user base is now leveraging nation-state deployment techniques. Full visualization of observed techniques, relevant approaches, and indicators of compromise (IoCs) in this context can be found in Unit 42’s ATOM Viewer.
Brute Ratel C4 basics.
Brute Ratel C4 first appeared in December 2020 as a penetration testing tool. It was developed by a security engineer living in India named Chetan Nayak (aka Paranoid Ninja). According to his website (Dark Vortex), Nayak gained several years of experience in senior positions at Western cybersecurity vendors. Over the past 2.5 years, Nayak has incrementally improved the pentest tool in terms of features, capabilities, support and training.
Unit 42’s analysis highlights the ongoing and relevant debate within the cybersecurity industry about the ethical aspects of developing and using penetration testing tools that can be used for offensive purposes. For example, BRc4 currently advertises itself as “A Customized Command and Control Center for Red Team and Adversary Simulation.” On May 16, Nayak announced that the tool had gained 480 users among 350 customers.
The latest version, Brute Ratel v1.0 (Sicilian Defense), was released a day later on May 17 and is currently available at $2,500 per user and $2,250 per renewal. With this price and customer base, BRc4 is positioned to generate more than $1 million in revenue over the next year.
Unit 42’s analysis underscores the ongoing and relevant debate within the cybersecurity industry about the ethical aspects of developing and using penetration testing tools that can be used for offensive purposes.
More Samples and Infrastructure
Over the last year, the forged Microsoft Security X.509 certificate has been associated with 41 IP addresses. These addresses have a global geographic spread and predominantly belong to a large virtual private server (VPS) hosting providers. The researchers expanded their investigation beyond the two samples above and identified an additional seven samples of BRc4 dating back to February 2021.
The emergence of a new feature for penetration testing and attacker emulation is significant. Even more troubling, however, is BRc4’s effectiveness in circumventing advanced defensive EDR and AV detection capabilities. Over the past two and a half years, this tool has evolved from a part-time hobbyist activity to a full-time development project. While the growing customer base is already in the hundreds, the tool has gained attention from both legitimate penetration testers and malicious cyber actors.
Analysis of the samples, as well as the advanced technology used to package the payloads, make it clear that more and more attackers have begun to adopt this capability. Given the geographical dispersion of the victims, the upstream connection to a Ukrainian IP address, and various other factors, researchers believe it is highly unlikely that BRc4 was used to support legitimate and sanctioned penetration testing. Security experts, therefore, recommend all security vendors develop safeguards to detect activity with this tool, and all companies be wary of such activity.