Executive Summary
Adversaries have been observed abusing legitimate adversary simulation software in their attacks to stay under the radar and evade detection. One such example sees hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.
Based on an initial report from Palo Alto Networks Unit 42, they received a malware sample that was uploaded to the VirusTotal database on May 19, 2022, which contained a payload associated with Brute Ratel C4. This tool was found to be specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.
In this blog, we highlight the capabilities of Brute Ratel C4, Brute Ratel Badgers (agents) and how Brute Ratel C4 is abused by adversaries. Additionally, provide analytics and indicators to help defenders identify behaviors related to Brute Ratel.
What is Brute Ratel C4?
Brute Ratel is an advanced red team and adversary simulation software and made its initial debut as a penetration testing tool in December 2020. It is a post-exploitation C2 framework similar to Cobalt Strike, Sliver, Mythic and Covenant. Much like Cobalt Strike, Brute Ratel enables operators to deploy agents, called Badgers, while inside a target environment that enable arbitrary command execution to perform lateral movement, privilege escalation, and establish additional avenues of persistence. Brute Ratel C4 also goes a level further in receiving consistent updates to evade modern host-based security controls.
In terms of features, BRc4 advertises the following capabilities:
- SMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
- Built-in debugger to detect EDR userland hooks
- Ability to keep memory artifacts hidden from EDRs and AV
- Direct Windows SYS calls on the fly
- Egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP
- LDAP Sentinel provides a rich GUI interface to query various LDAP queries to the domain or a forest
- Multiple command and control channels – multiple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC
- Take screenshots
- x64 shellcode loader
- Reflective and object file loader
- Decoding KRB5 ticket and converting it to hashcat
- Patching Event Tracing for Windows (ETW)
- Patching Anti Malware Scan Interface (AMSI)
- Create Windows system services
- Upload and download files
- Create files via CreateFileTransacted
- Port scan
Brute Ratel C4 Red Teaming Tool Abused by Adversaries
According to PAN Unit42, threat actors are spreading Brute Ratel C4 as a payload through ISO files via spear-phishing campaigns or downloaded to the victim machine by a second-stage downloader.
The ISO file is not malicious and requires a user to double-click, which mounts the ISO as a Windows drive. Finally, the archived files of the ISO are displayed to the user and the lure file, the one visible to the user is a Windows shortcut file (LNK), which is a malicious payload DLL and a legitimate copy of Microsoft OneDrive Updater. Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking. This sample was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications. These techniques demonstrate that users of the tool are now applying nation-state tradecraft to deploy BRC4.
If the user were to double-click on the file, the following actions occur and would then install Brute Ratel C4 on the user's machine.
- cmd.exe is launched with the parameters of:
- /c start OneDriveUpdater.exe. The /c parameter instructs cmd.exe to launch OneDriveUpdater.exe via Windows start command from the current working directory and exit.
- OneDriveUpdater.exe is a digitally signed binary by Microsoft that is used to synchronize data from a local machine to the cloud. It is not malicious and is being abused to load the actor’s DLL. Once OneDriveUpdater.exe is executed, the following actions occur:
- Since Version.dll is a dependency DLL of OneDriveUpdater.exe and exists in the same directory as OneDriveUpdater.exe, it will be loaded.
- Version.dll has been modified by the actors to load an encrypted payload file, OneDrive.update. The modification decrypts the file and in-memory loads the first stage of shellcode. To maintain code capabilities, the actors use DLL API proxying to forward requests to the legitimate version.dll named vresion.dll. Vresion.dll is a dependency file of the actor’s version.dll and will be loaded with the actor’s version.dll.
- The in-memory code, that is Brute Ratel C4, executes as a Windows thread in the RuntimeBroker.exe process space and begins to communicate with an IP on TCP port 443.
Execution flow of delivering Brute Ratel C4
In another sample similar to the previous one, there are a few notable differences:
- This ISO does not contain a shortcut LNK file and relies on the victim double clicking the onedrive_fotos.exe binary to load the malicious DLL.
- The initial shellcode is embedded in the hidden DLL and not present as another file in the ISO archive.
A high-level overview of the initial access attack vector
Brute Ratel C4 Overview
Badgers
A Badger is Brute Ratel’s payload for remote access. Badgers support egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP. SMB and TCP are peer-to-peer connections for inter-network communications. Badgers are asynchronous and multi-threaded in nature. It will connect back to the Brute Ratel Server every few seconds/minutes/hours as configured with the sleep and jitter values, fetch tasks queued on the Ratel server, run them and return a response as per the sleep cycle. Badgers communicate to each other and to the server over a custom encrypted channel for all types of Badgers i.e. DOH, HTTP, HTTPS, SMB and TCP.
Brute Ratel C4 Server
The Ratel Server is an API driven server which works over HTTP, DNS and WebSocket. Ratel server primarily operates over WebSocket to take commands from the UI/Operator’s client and either consume the request or forward the command in the request to the Badger. All requests and responses, sent and received by the Ratel server are in JSON. The Ratel server also accepts a few command-line arguments. The user can start the server by providing the required command-line arguments or provide a JSON configuration file (C4 Profile) and automate several tasks on the server. Alternatively, it also accepts a certificate and a key file which it uses for HTTPS and WebSocket connections.
C4 Profiles
Listener Profile
Listener profiles can be written in JSON to autostart the listeners when the Ratel server started. Only HTTP/HTTPS listeners (DOH inclusive) can be configured to autostart, since the SMB and TCP listeners are run directly on the Badgers during pivoting. Below is an example of an HTTPS Listener containing a JSON malleable profile and a DNS over HTTPS profile. When a new listener is created using the Commander/Operator, it will autogenerate these profiles and store them in memory.
{
“listeners”: {
“Primary-Https”: {
“auth_count”: 1, // number of authentication keys
“auth_type”: false, // false = Regular keys, true = One Time Auth keys
“c2_authkeys”: [
“abcd@123” // command connection authentication keys in an array
],
“c2_uri”: [
“content.php”, // command connection URIs in an array
“admin.php”,
“login.php”,
“content.js”,
“api”
],
“extra_headers”: { // any extra headers in key/value format
“Cache-Control”: “no-cache”,
“Cookie”: “1babbba6265ca2eba78b6”,
“Host”: “test.azureedge.net”,
“Pragma”: “no-cache”,
“Referer”: “https://mail.microsoft.com”,
“x-pm-apiversion”: “3”,
“x-pm-appversion”: “Web_3.16.33”,
“x-pm-uid”: “d0e1f5b0dc08202064de25a”
},
“host”: “192.168.0.142”, // bind host to listen on
“is_random”: false, // should be ‘false’. It is usually created by the server to autogenerate keys. Reserved for future use
“os_type”: “windows”, // should be ‘windows’. Reserved for future use.
“port”: “443”, // port to listen on
“rotational_host”: “192.168.0.142”, // rotational hosts connection by commas
“ssl”: true, // ssl enabled or disabled
“useragent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36”, // user-agent for the payload
“die_offline”: true // should be ‘true’ or ‘false. This kills the payload if internet connectivity is not available during initial connection.
“proxy”: https://192.168.0.102:8081 // optional proxy server for the payload to connect to, can be http or https
},
“Primary-DOH”: {
“auth_count”: 1, // number of authentication keys
“auth_type”: false, // false = Regular keys, true = One Time Auth keys
“c2_authkeys”: [
“abcd@123” // comma connection authentication keys in an array
],
“c2_uri”: [
“dns-query” // command connection URIs in an array
],
“extra_headers”: { // any extra headers in key/value format
“Content-Type”: “application/dns-message”
},
“host”: “192.168.0.142”, // bind host to listen on
“is_random”: false, // should be ‘false’. It is usually created by the server to autogenerate keys. Reserved for future use
“os_type”: “windows”, // should be ‘windows’. Reserved for future use.
“port”: “443”, // port to listen on
“dnshost”: “dns1.evasionlabs.com”, // DNS hosts to be queried
“rotational_host”: “dns.google”, // rotational DNS servers connection by commas
“idleA”: “8.8.4.4”, // IP to respond for A records request for no commands in listener bucket
“spoofTxt”: “google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o”, // spoofed TXT records exposed to public
“checkinA”: “8.8.8.8”, // IP to respond for A records request for checking in
“ssl”: true, // ssl enabled or disabled
“useragent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) “, // user-agent for the payload
“die_offline”: true // should be ‘true’ or ‘false. This kills the payload if internet connectivity is not available during initial connection.
“proxy”: “https://192.168.0.102:8081” // optional proxy server for the payload to connect to, can be http or https
}
}
}
Sample profile
Payload Profiles
Payload profiles provide a variety of options to configure and build payloads. These payload configurations work independent of the Listener Profiles. These new profiles can be used dynamically during process injections, profile migration or to create new executable/shellcode/dll/ps1 or service executables. There are 4 types of payload profiles
- DOH (DNS over HTTPS)
- HTTP/HTTPS
- TCP
- SMB
Command Profile
C4 profiles allow users to configure custom commands. C4 profiles can be configured to use:
- Reflective DLLs using the register_dll command
- Register a C# executble using the register_pe command
- Register a Buffer OverFlow using register_obj command
Network Communications
Brute Ratel uses a custom encryption algorithm to encrypt the data on network between Badgers and the c4 server. This encryption is performed using either a random key or one provided by the operator. If an operator does not provide an encryption key, the server generates it randomly. This layer of encryption rests below the SSL layer. If any Network-based EDR or network intrusion detection system tries to sniff the traffic using SSL decryption, the inner layer would still be encrypted and appear garbage to the network intrusion detection system.
Based on a traffic analyzed, NetWitness Packet core was able to detect TCP beacon traffic from the Badger.
The Badger sends the following data to the C4 listener IP as a POST request.
Another interesting aspect of this Badger is that it periodically reaches out to ctldl.windowsupdate.com which is hardcoded within the binary. This is likely a cloaking mechanism to throw off AV/EDR/Sandboxes.
NetWitness Detections
The following detections were created to detect Brute Ratel C4 being used by a group known as APT29.
- boc=suspicious tcp beaconing
- boc=Brute Ratel C4 ISO Link File Creation
- Brute Ratel C4 Yara rules [Community]
Indicators of Compromise
IOCs:
|
Name: Roshan_CV.iso SHA256:1fc7b0e1054d54ce8f1de0cc95976081c7a85c7926c03172a3ddaa672690042c |
|
Name: fotos.iso |
|
Name: version.dll SHA256: ea2876e9175410b6f6719f80ee44b9553960758c7d0f7bed73c0fe9a78d8e669 |
|
File: brute-dll-agent.bin (in-memory) |
|
File: versions.dll |
|
File: ONEDRIVE.EXE SHA256: 9f34aa66946343b96a100a16fad02bb669b68d52aeab0bc03c6f58e8695d43cb |
MITRE ATT&CK Tactics and Techniques
Execution TA0002
|
Scripting T1064: Executes commands using a shell command-line interpreter |
|
Shared Modules T1129 |
Privilege Escalation TA0004
|
Process Injection T1055: Maps a DLL or memory area into another process Creates a thread in another existing process (thread injection) Spawns processes Creates a process in suspended mode (likely to inject code) |
|
DLL Side-Loading T1574.002 |
Defense Evasion TA0005
|
Masquerading T1036: Creates files inside the user directory |
|
Process Injection T1055: Maps a DLL or memory area into another process Creates a thread in another existing process (thread injection) Spawns processes Creates a process in suspended mode (likely to inject code) |
|
Virtualization/Sandbox Evasion T1497: May sleep (evasive loops) to hinder dynamic analysis Checks if the current process is being debugged |
|
Timestomp T1070.006: Binary contains a suspicious time stamp |
|
Hidden Files and Directories T1564.001: Creates hidden files, links and/or directories |
Discovery TA0007
|
Remote System Discovery T1018: Reads the hosts file |
|
Process Discovery T1057: Queries a list of all running processes |
| System Information Discovery T1082: Queries the volume information (name, serial number etc) of a device Reads software policies Queries the cryptographic machine GUID |
|
File and Directory Discovery T1083: Enumerates the file system |
|
Virtualization/Sandbox Evasion T1497: May sleep (evasive loops) to hinder dynamic analysis Checks if the current process is being debugged |
|
Security Software Discovery T1518.001: Checks if the current process is being debugged May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) |
Command and Control TA0011
|
Application Layer Protocol T1071: Uses HTTPS Performs DNS lookups |
|
Encrypted Channel T1573: Uses HTTPS |
Conclusion
BRc4 is equipped with a wide variety of features, such as process injection, automating adversary TTPs, capturing screenshots, uploading and downloading files, support for multiple command-and-control channels, and the ability to keep memory artifacts concealed from anti-malware engines, among others.
The emergence of this new penetration testing and adversary emulation capability is significant. Yet more alarming is the effectiveness of BRc4 at defeating modern defensive EDR and AV detection capabilities. As this framework grows in popularity with threat actors, it is important to understand the many ways in which it can be detected.
References:
Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors (paloaltonetworks.com)
https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
https://blog.spookysec.net/analyzing-brc4-badgers/
