The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

APT 29 Using Brute Ratel

Jul 25, 2022 1:58:05 PM / by PolySwarm Tech Team


Executive Summary

Palo Alto’s Unit 42 recently reported on Brute Ratel C4 (BRc4), a legitimate redteaming and adversarial attack simulation tool being abused by APT 29 threat actors.

Key Takeaways

  • Brute Ratel is a legitimate redteaming and adversarial attack simulation tool that is designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) tools. 
  • Brute Ratel has multiple features that make it ideal for redteaming, or for abuse by threat actors. 
  • Russian state-sponsored threat actor group APT 29 was observed using Brute Ratel in a recent campaign.
What is Brute Ratel?

In May, Unit 42 researchers discovered a new sample containing a malicious payload associated with Brute Ratel. At the time, no engines detected the file as malicious. Brute Ratel C4 (BRc4) is a legitimate redteaming and adversarial attack simulation tool that is designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) tools.

Brute Ratel has a plethora of capabilities, including the following:
  • Use of SMB and TCP payloads to write custom external C2 channels over legitimate websites
  • A built-in debugger
  • The ability to hide memory artifacts from EDRs and AV
  • Direct Windows SYS calls
  • Egress over multiple protocols, including HTTP, HTTPS, DNS over HTTPS, SMB, and TCP
  • An LDAP Sentinel GUI interface for LDAP queries
  • Support for multiple C2 channels and pivot options
  • Managing remote services over RPC
  • The ability to take screenshots
  • An x64 shellcode loader
  • A reflective and object file loader
  • Ability to decode a KRB5 ticket and convert it to hashcat
  • Patching Event Tracing for Windows (ETW)
  • Patching Anti Malware Scan Interface (AMSI)
  • Uploading and downloading files
  • Creating files using CreateFileTransacted
  • Port scanning
Upon further analysis, Unit 42 found the C2 was hosted on an Amazon Web Services (AWS) IP address, with communication over port 443. The X.509 certificate on the listening port was configured to impersonate Microsoft. Unit 42 researchers pivoted on the certificate and other artifacts and discovered 41 malicious IP addresses and nine Brute Ratel samples associated with the activity. They also identified three additional victims based in North and South America.

One sample they analyzed was named Roshan_CV.iso, a curriculum vitae file in ISO format. If the victim double clicks the file, it mounts as a Windows drive, displaying the archived files. It contains four hidden files and one visible file. The visible file within the ISO masquerades as a Microsoft Word file. Double-clicking on the fake Word file, which is actually an LNK file, installs Brute Ratel on the victim’s machine. It also launches cmd.exe, which in turn launches OneDriveUpdater.exe. OneDriveUpdater.exe is a legitimate digitally signed binary by Microsoft, being abused to load a DLL. When OneDriveUpdater.exe is executed, a file called Version.dll, which is a dependency of OneDriveUpdater.exe, is loaded. Version.dll was modified by the threat actors and loads an encrypted payload named OneDrive.update. It decrypts the file and loads the first stage of the shellcode in memory. The in-memory code is Brute Ratel, which executes as a Windows thread in the RuntimeBroker.exe process space and begins to contact the C2. The C2 for this sample was 174.129.157[.]251.

Unit 42 attributed the activity to APT 29, as the sample was packaged in a manner consistent with recent APT 29 campaign TTPs. Unit 42 stressed the danger of this potent and undetectable tool being used by threat actors. Criminal threat actor groups, including individuals formerly associated with Conti, are reportedly using Brute Ratel as well, in place of Cobalt Strike.

Who is APT 29?

APT 29, also known as Cozy Bear, CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM, has been active since at least 2008. Historically, APT 29 has targeted government networks in Europe and NATO countries, as well as research institutes and think tanks. Other APT 29 targets have included those in the biotechnology, consulting, education, financial, healthcare, legal services, technology, pharmaceutical, telecommunications, travel, and scientific research verticals. High-profile attacks attributed to APT 29 include attacks on the Democratic National Committee in 2015,  the 2020 SolarWinds supply chain attack, and a 2021 attack on the Republican National Committee.

APT 29 is thought to operate on behalf of the Russian government, more specifically Russia’s Foreign Intelligence Service (SVR), with intelligence collection and espionage among their primary objectives. APT 29 has collaborated with the Fancy Bear threat actor group in the past. Joint activity is categorized as Grizzly Steppe. APT 29 TTPs include but are not limited to spearphishing, supply chain attacks, Sibot, MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke.


PolySwarm has multiple samples associated with APT 29’s use of Brute Ratel.








You can use the following CLI command to search for all Brute Ratel samples in our portal:

$ polyswarm link list -f BruteRatel

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Brute Ratel, APT29, CozyDuke, brc4, Cozy Bear, Cozycar, Dark Halo, Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, YTTRIUM

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts