Tuesday, November 26, 2024
HomeMalwareAPT Hackers Weaponizing The Red-Team Pentesting Tool To Evade AV & EDR...

APT Hackers Weaponizing The Red-Team Pentesting Tool To Evade AV & EDR Detection

Published on

During the routine malware sample analysis, researchers from Palo Alto’s UNIT 42 uncovered the new malware sample that contains a malicious payload associated with the Red Team exploitation Tool called ” Brute Ratel C4 (BRc4)” that is used in the Pentesting industry to simulate the adversarial attacks.

Threat actors are now moving out from Cobalt Strike and started using the new post-exploitation tool Brute Ratel (Redteaming Tool in the commercial market), which is highly sophisticated and developed to Evade the Anti-virus and endpoint detection and response detection.

Brute Ratel C4 was initially developed as a penetration testing tool by an Indian security engineer Chetan Nayak. He is continuously built this tool by adding various Red Teaming features and released Brute Ratel v0.9.0 (Checkmate), described as the “biggest release for Brute Ratel to date.”

- Advertisement - SIEM as a Service

This most recently released version was tested and reverse engineering most of the industrial leading EDR and Anti-virus software to ensure the maximum level of evasion capabilities.

He advertised this tool as A Customized Command and Control Center for Red Team and Adversary Simulation and is used by more than 350 customers.

There are several capabilities of the following included with BRc4:

  • SMB and TCP payloads provide the functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
  • Built-in debugger To detect EDR userland hooks.
  • Ability to keep memory artifacts hidden from EDRs and AV.
  • Direct Windows SYS calls on the fly.
  • Egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP.
  • LDAP Sentinel provides a rich GUI interface to query various LDAP queries to the domain or a forest.
  • Multiple command and control channels – multiple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.
  • Take screenshots.
  • x64 shellcode loader.
  • Reflective and object file loader.
  • Decoding KRB5 ticket and converting it to hashcat.
  • Patching Event Tracing for Windows (ETW).
  • Patching Anti Malware Scan Interface (AMSI).
  • Create Windows system services.
  • Upload and download files.
  • Create files via CreateFileTransacted.
  • Port scan.

Malware Sample Analysis:

The sample file that has raised no red flags in Virustotal named Roshan_CV.iso appeared as a resume with the name Roshan.

The ISO file doesn’t seem to be a malicious one when double-clicked, it leads to a file named Roshan-Bandara_CV_Dialog with a fake MS Word Icon.

The file once gets double-clicked by users, start and execute and install Brute Ratel C4 on the victim’s system.

Alongside, it contains hidden files that won’t be seen by users, and once researchers disabled the hidden file option, four files popped up, of which one is a Windows shortcut file (LNK).

Once the victim double-clicked on it, the process would look like the following:-

These malicious files are sent to the victims via spear-phishing email campaigns or downloaded to the victim by a second-stage downloader.

Among the list of hidden files that have been dropped, “a Version.dll is a modified version of a legitimate Microsoft file written in C++. The implanted code is used to load and decrypt an encrypted payload file. The decrypted payload is that of shellcode (x64 assembly) that is further used to execute Brute Ratel C4 on the host.” Palo Alto Researchers said.

“Further analysis reveals that the  IP 174.129.157[.]251 is hosted on Amazon AWS, and Palo Alto Networks Cortex Xpanse history shows the IP had TCP port 443 open from April 29, 2022, until May 23, 2022, with a self-signed SSL certificate impersonating Microsoft Security”.

Researchers suspect that the connections to ports 22, 443, and 8060 originated from a Ukrainian IP (213.200.56[.]105) where a residential user is believed to be operating the C2 infrastructure.

Also identified several suspected victims including an Argentinian organization, an IP television provider providing North and South American content, and a major textile manufacturer in Mexico. Palo Alto said.

You can find the IOC details here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Beware Of SpyLoan Apps Exploits Social Engineering To Steal User Data

SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive...

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec,...

Blue Yonder Ransomware Attack Impacts Starbucks & Multiple Supermarkets

A ransomware attack on Blue Yonder, a leading supply chain management software provider, has...

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Beware Of SpyLoan Apps Exploits Social Engineering To Steal User Data

SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive...

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...