- Brute Ratel is a legitimate redteaming and adversarial attack simulation tool that is designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) tools.
- Brute Ratel has multiple features that make it ideal for redteaming, or for abuse by threat actors.
- Russian state-sponsored threat actor group APT 29 was observed using Brute Ratel in a recent campaign.
In May, Unit 42 researchers discovered a new sample containing a malicious payload associated with Brute Ratel. At the time, no engines detected the file as malicious. Brute Ratel C4 (BRc4) is a legitimate redteaming and adversarial attack simulation tool that is designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) tools.
Brute Ratel has a plethora of capabilities, including the following:
- Use of SMB and TCP payloads to write custom external C2 channels over legitimate websites
- A built-in debugger
- The ability to hide memory artifacts from EDRs and AV
- Direct Windows SYS calls
- Egress over multiple protocols, including HTTP, HTTPS, DNS over HTTPS, SMB, and TCP
- An LDAP Sentinel GUI interface for LDAP queries
- Support for multiple C2 channels and pivot options
- Managing remote services over RPC
- The ability to take screenshots
- An x64 shellcode loader
- A reflective and object file loader
- Ability to decode a KRB5 ticket and convert it to hashcat
- Patching Event Tracing for Windows (ETW)
- Patching Anti Malware Scan Interface (AMSI)
- Uploading and downloading files
- Creating files using CreateFileTransacted
- Port scanning
One sample they analyzed was named Roshan_CV.iso, a curriculum vitae file in ISO format. If the victim double clicks the file, it mounts as a Windows drive, displaying the archived files. It contains four hidden files and one visible file. The visible file within the ISO masquerades as a Microsoft Word file. Double-clicking on the fake Word file, which is actually an LNK file, installs Brute Ratel on the victim’s machine. It also launches cmd.exe, which in turn launches OneDriveUpdater.exe. OneDriveUpdater.exe is a legitimate digitally signed binary by Microsoft, being abused to load a DLL. When OneDriveUpdater.exe is executed, a file called Version.dll, which is a dependency of OneDriveUpdater.exe, is loaded. Version.dll was modified by the threat actors and loads an encrypted payload named OneDrive.update. It decrypts the file and loads the first stage of the shellcode in memory. The in-memory code is Brute Ratel, which executes as a Windows thread in the RuntimeBroker.exe process space and begins to contact the C2. The C2 for this sample was 174.129.157[.]251.
Unit 42 attributed the activity to APT 29, as the sample was packaged in a manner consistent with recent APT 29 campaign TTPs. Unit 42 stressed the danger of this potent and undetectable tool being used by threat actors. Criminal threat actor groups, including individuals formerly associated with Conti, are reportedly using Brute Ratel as well, in place of Cobalt Strike.
Who is APT 29?
APT 29, also known as Cozy Bear, CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM, has been active since at least 2008. Historically, APT 29 has targeted government networks in Europe and NATO countries, as well as research institutes and think tanks. Other APT 29 targets have included those in the biotechnology, consulting, education, financial, healthcare, legal services, technology, pharmaceutical, telecommunications, travel, and scientific research verticals. High-profile attacks attributed to APT 29 include attacks on the Democratic National Committee in 2015, the 2020 SolarWinds supply chain attack, and a 2021 attack on the Republican National Committee.
APT 29 is thought to operate on behalf of the Russian government, more specifically Russia’s Foreign Intelligence Service (SVR), with intelligence collection and espionage among their primary objectives. APT 29 has collaborated with the Fancy Bear threat actor group in the past. Joint activity is categorized as Grizzly Steppe. APT 29 TTPs include but are not limited to spearphishing, supply chain attacks, Sibot, MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke.
PolySwarm has multiple samples associated with APT 29’s use of Brute Ratel.
You can use the following CLI command to search for all Brute Ratel samples in our portal:
$ polyswarm link list -f BruteRatel
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports