Executive Summary
Palo Alto’s Unit 42 recently reported on Brute Ratel C4 (BRc4), a legitimate redteaming and adversarial attack simulation tool being abused by APT 29 threat actors.
Key Takeaways
- Brute Ratel is a legitimate redteaming and adversarial attack simulation tool that is designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) tools.
- Brute Ratel has multiple features that make it ideal for redteaming, or for abuse by threat actors.
- Russian state-sponsored threat actor group APT 29 was observed using Brute Ratel in a recent campaign.
In May, Unit 42 researchers discovered a new sample containing a malicious payload associated with Brute Ratel. At the time, no engines detected the file as malicious. Brute Ratel C4 (BRc4) is a legitimate redteaming and adversarial attack simulation tool that is designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) tools.
Brute Ratel has a plethora of capabilities, including the following:
- Use of SMB and TCP payloads to write custom external C2 channels over legitimate websites
- A built-in debugger
- The ability to hide memory artifacts from EDRs and AV
- Direct Windows SYS calls
- Egress over multiple protocols, including HTTP, HTTPS, DNS over HTTPS, SMB, and TCP
- An LDAP Sentinel GUI interface for LDAP queries
- Support for multiple C2 channels and pivot options
- Managing remote services over RPC
- The ability to take screenshots
- An x64 shellcode loader
- A reflective and object file loader
- Ability to decode a KRB5 ticket and convert it to hashcat
- Patching Event Tracing for Windows (ETW)
- Patching Anti Malware Scan Interface (AMSI)
- Uploading and downloading files
- Creating files using CreateFileTransacted
- Port scanning
One sample they analyzed was named Roshan_CV.iso, a curriculum vitae file in ISO format. If the victim double clicks the file, it mounts as a Windows drive, displaying the archived files. It contains four hidden files and one visible file. The visible file within the ISO masquerades as a Microsoft Word file. Double-clicking on the fake Word file, which is actually an LNK file, installs Brute Ratel on the victim’s machine. It also launches cmd.exe, which in turn launches OneDriveUpdater.exe. OneDriveUpdater.exe is a legitimate digitally signed binary by Microsoft, being abused to load a DLL. When OneDriveUpdater.exe is executed, a file called Version.dll, which is a dependency of OneDriveUpdater.exe, is loaded. Version.dll was modified by the threat actors and loads an encrypted payload named OneDrive.update. It decrypts the file and loads the first stage of the shellcode in memory. The in-memory code is Brute Ratel, which executes as a Windows thread in the RuntimeBroker.exe process space and begins to contact the C2. The C2 for this sample was 174.129.157[.]251.
Unit 42 attributed the activity to APT 29, as the sample was packaged in a manner consistent with recent APT 29 campaign TTPs. Unit 42 stressed the danger of this potent and undetectable tool being used by threat actors. Criminal threat actor groups, including individuals formerly associated with Conti, are reportedly using Brute Ratel as well, in place of Cobalt Strike.
Who is APT 29?
APT 29, also known as Cozy Bear, CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM, has been active since at least 2008. Historically, APT 29 has targeted government networks in Europe and NATO countries, as well as research institutes and think tanks. Other APT 29 targets have included those in the biotechnology, consulting, education, financial, healthcare, legal services, technology, pharmaceutical, telecommunications, travel, and scientific research verticals. High-profile attacks attributed to APT 29 include attacks on the Democratic National Committee in 2015, the 2020 SolarWinds supply chain attack, and a 2021 attack on the Republican National Committee.
APT 29 is thought to operate on behalf of the Russian government, more specifically Russia’s Foreign Intelligence Service (SVR), with intelligence collection and espionage among their primary objectives. APT 29 has collaborated with the Fancy Bear threat actor group in the past. Joint activity is categorized as Grizzly Steppe. APT 29 TTPs include but are not limited to spearphishing, supply chain attacks, Sibot, MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke.
IOCs
PolySwarm has multiple samples associated with APT 29’s use of Brute Ratel.
31acf37d180ab9afbcf6a4ec5d29c3e19c947641a2d9ce3ce56d71c1f576c069
3ad53495851bafc48caf6d2227a434ca2e0bef9ab3bd40abfe4ea8f318d37bbe
3ed21a4bfcf9838e06ad3058d13d5c28026c17dc996953a22a00f0609b0df3b9
973f573cab683636d9a70b8891263f59e2f02201ffb4dd2e9d7ecbb1521da03e
D71dc7ba8523947e08c6eec43a726fe75aed248dfd3a7c4f6537224e9ed05f6f
Dd8652e2dcfe3f1a72631b3a9585736fbe77ffabee4098f6b3c48e1469bf27aa
ef9b60aa0e4179c16a9ac441e0a21dc3a1c3dc04b100ee487eabf5c5b1f571a6
You can use the following CLI command to search for all Brute Ratel samples in our portal:
$ polyswarm link list -f BruteRatel
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports