APT Hackers Weaponizing The Red-Team Pentesting Tool To Evade AV & EDR Detection

During the routine malware sample analysis, researchers from Palo Alto’s UNIT 42 uncovered the new malware sample that contains a malicious payload associated with the Red Team exploitation Tool called ” Brute Ratel C4 (BRc4)” that is used in the Pentesting industry to simulate the adversarial attacks.

Threat actors are now moving out from Cobalt Strike and started using the new post-exploitation tool Brute Ratel (Redteaming Tool in the commercial market), which is highly sophisticated and developed to Evade the Anti-virus and endpoint detection and response detection.

Brute Ratel C4 was initially developed as a penetration testing tool by an Indian security engineer Chetan Nayak. He is continuously built this tool by adding various Red Teaming features and released Brute Ratel v0.9.0 (Checkmate), described as the “biggest release for Brute Ratel to date.”

This most recently released version was tested and reverse engineering most of the industrial leading EDR and Anti-virus software to ensure the maximum level of evasion capabilities.

He advertised this tool as A Customized Command and Control Center for Red Team and Adversary Simulation and is used by more than 350 customers.

There are several capabilities of the following included with BRc4:

• SMB and TCP payloads provide the functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
• Built-in debugger To detect EDR userland hooks.
• Ability to keep memory artifacts hidden from EDRs and AV.
• Direct Windows SYS calls on the fly.
• Egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP.
• LDAP Sentinel provides a rich GUI interface to query various LDAP queries to the domain or a forest.
• Multiple command and control channels – multiple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.
• Take screenshots.
• x64 shellcode loader.
• Reflective and object file loader.
• Decoding KRB5 ticket and converting it to hashcat.
• Patching Event Tracing for Windows (ETW).
• Patching Anti Malware Scan Interface (AMSI).
• Create Windows system services.
• Upload and download files.
• Create files via CreateFileTransacted.
• Port scan.

Malware Sample Analysis:

The sample file that has raised no red flags in Virustotal named Roshan_CV.iso appeared as a resume with the name Roshan.

The ISO file doesn’t seem to be a malicious one when double-clicked, it leads to a file named Roshan-Bandara_CV_Dialog with a fake MS Word Icon.

The file once gets double-clicked by users, start and execute and install Brute Ratel C4 on the victim’s system.

Alongside, it contains hidden files that won’t be seen by users, and once researchers disabled the hidden file option, four files popped up, of which one is a Windows shortcut file (LNK).

Once the victim double-clicked on it, the process would look like the following:-

These malicious files are sent to the victims via spear-phishing email campaigns or downloaded to the victim by a second-stage downloader.

Among the list of hidden files that have been dropped, “a Version.dll is a modified version of a legitimate Microsoft file written in C++. The implanted code is used to load and decrypt an encrypted payload file. The decrypted payload is that of shellcode (x64 assembly) that is further used to execute Brute Ratel C4 on the host.” Palo Alto Researchers said.

“Further analysis reveals that the  IP 174.129.157[.]251 is hosted on Amazon AWS, and Palo Alto Networks Cortex Xpanse history shows the IP had TCP port 443 open from April 29, 2022, until May 23, 2022, with a self-signed SSL certificate impersonating Microsoft Security”.

Researchers suspect that the connections to ports 22, 443, and 8060 originated from a Ukrainian IP (213.200.56[.]105) where a residential user is believed to be operating the C2 infrastructure.

Also identified several suspected victims including an Argentinian organization, an IP television provider providing North and South American content, and a major textile manufacturer in Mexico. Palo Alto said.

You can find the IOC details here.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.