Thursday, March 28, 2024

APT Hackers Weaponizing The Red-Team Pentesting Tool To Evade AV & EDR Detection

During the routine malware sample analysis, researchers from Palo Alto’s UNIT 42 uncovered the new malware sample that contains a malicious payload associated with the Red Team exploitation Tool called ” Brute Ratel C4 (BRc4)” that is used in the Pentesting industry to simulate the adversarial attacks.

Threat actors are now moving out from Cobalt Strike and started using the new post-exploitation tool Brute Ratel (Redteaming Tool in the commercial market), which is highly sophisticated and developed to Evade the Anti-virus and endpoint detection and response detection.

Brute Ratel C4 was initially developed as a penetration testing tool by an Indian security engineer Chetan Nayak. He is continuously built this tool by adding various Red Teaming features and released Brute Ratel v0.9.0 (Checkmate), described as the “biggest release for Brute Ratel to date.”

This most recently released version was tested and reverse engineering most of the industrial leading EDR and Anti-virus software to ensure the maximum level of evasion capabilities.

He advertised this tool as A Customized Command and Control Center for Red Team and Adversary Simulation and is used by more than 350 customers.

There are several capabilities of the following included with BRc4:

  • SMB and TCP payloads provide the functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
  • Built-in debugger To detect EDR userland hooks.
  • Ability to keep memory artifacts hidden from EDRs and AV.
  • Direct Windows SYS calls on the fly.
  • Egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP.
  • LDAP Sentinel provides a rich GUI interface to query various LDAP queries to the domain or a forest.
  • Multiple command and control channels – multiple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.
  • Take screenshots.
  • x64 shellcode loader.
  • Reflective and object file loader.
  • Decoding KRB5 ticket and converting it to hashcat.
  • Patching Event Tracing for Windows (ETW).
  • Patching Anti Malware Scan Interface (AMSI).
  • Create Windows system services.
  • Upload and download files.
  • Create files via CreateFileTransacted.
  • Port scan.

Malware Sample Analysis:

The sample file that has raised no red flags in Virustotal named Roshan_CV.iso appeared as a resume with the name Roshan.

The ISO file doesn’t seem to be a malicious one when double-clicked, it leads to a file named Roshan-Bandara_CV_Dialog with a fake MS Word Icon.

The file once gets double-clicked by users, start and execute and install Brute Ratel C4 on the victim’s system.

Alongside, it contains hidden files that won’t be seen by users, and once researchers disabled the hidden file option, four files popped up, of which one is a Windows shortcut file (LNK).

Once the victim double-clicked on it, the process would look like the following:-

These malicious files are sent to the victims via spear-phishing email campaigns or downloaded to the victim by a second-stage downloader.

Among the list of hidden files that have been dropped, “a Version.dll is a modified version of a legitimate Microsoft file written in C++. The implanted code is used to load and decrypt an encrypted payload file. The decrypted payload is that of shellcode (x64 assembly) that is further used to execute Brute Ratel C4 on the host.” Palo Alto Researchers said.

“Further analysis reveals that the  IP 174.129.157[.]251 is hosted on Amazon AWS, and Palo Alto Networks Cortex Xpanse history shows the IP had TCP port 443 open from April 29, 2022, until May 23, 2022, with a self-signed SSL certificate impersonating Microsoft Security”.

Researchers suspect that the connections to ports 22, 443, and 8060 originated from a Ukrainian IP (213.200.56[.]105) where a residential user is believed to be operating the C2 infrastructure.

Also identified several suspected victims including an Argentinian organization, an IP television provider providing North and South American content, and a major textile manufacturer in Mexico. Palo Alto said.

You can find the IOC details here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles