This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • FirstWatch Threat Spotlight: Brute Ratel C4

FirstWatch Threat Spotlight: Brute Ratel C4

jeethmathai
Occasional Contributor jeethmathai Occasional Contributor
Occasional Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2023-01-31 09:54 AM

Executive Summary

Adversaries have been observed abusing legitimate adversary simulation software in their attacks to stay under the radar and evade detection. One such example sees hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.

 

Based on an initial report from Palo Alto Networks Unit 42, they received a malware sample that was uploaded to the VirusTotal database on May 19, 2022, which contained a payload associated with Brute Ratel C4. This tool was found to be specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.

 

In this blog, we highlight the capabilities of Brute Ratel C4, Brute Ratel Badgers (agents) and how Brute Ratel C4 is abused by adversaries. Additionally, provide analytics and indicators to help defenders identify behaviors related to Brute Ratel.

 

 

What is Brute Ratel C4? 

Brute Ratel is an advanced red team and adversary simulation software and made its initial debut as a penetration testing tool in December 2020. It is a post-exploitation C2 framework similar to Cobalt Strike, Sliver, Mythic and Covenant. Much like Cobalt Strike, Brute Ratel enables operators to deploy agents, called Badgers, while inside a target environment that enable arbitrary command execution to perform lateral movement, privilege escalation, and establish additional avenues of persistence. Brute Ratel C4 also goes a level further in receiving consistent updates to evade modern host-based security controls.

 

In terms of features, BRc4 advertises the following capabilities:

  • SMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
  • Built-in debugger to detect EDR userland hooks
  • Ability to keep memory artifacts hidden from EDRs and AV
  • Direct Windows SYS calls on the fly
  • Egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP
  • LDAP Sentinel provides a rich GUI interface to query various LDAP queries to the domain or a forest
  • Multiple command and control channels – multiple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC
  • Take screenshots
  • x64 shellcode loader
  • Reflective and object file loader
  • Decoding KRB5 ticket and converting it to hashcat
  • Patching Event Tracing for Windows (ETW)
  • Patching Anti Malware Scan Interface (AMSI)
  • Create Windows system services
  • Upload and download files
  • Create files via CreateFileTransacted
  • Port scan

 

Brute Ratel C4 Red Teaming Tool Abused by Adversaries

According to PAN Unit42, threat actors are spreading Brute Ratel C4 as a payload through ISO files via spear-phishing campaigns or downloaded to the victim machine by a second-stage downloader.

 

The ISO file is not malicious and requires a user to double-click, which mounts the ISO as a Windows drive. Finally, the archived files of the ISO are displayed to the user and the lure file, the one visible to the user is a Windows shortcut file (LNK), which is a malicious payload DLL and a legitimate copy of Microsoft OneDrive Updater. Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking. This sample was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications. These techniques demonstrate that users of the tool are now applying nation-state tradecraft to deploy BRC4.

 

If the user were to double-click on the file, the following actions occur and would then install Brute Ratel C4 on the user's machine.

  1. cmd.exe is launched with the parameters of:
  • /c start OneDriveUpdater.exe. The /c parameter instructs cmd.exe to launch OneDriveUpdater.exe via Windows start command from the current working directory and exit.
  1. OneDriveUpdater.exe is a digitally signed binary by Microsoft that is used to synchronize data from a local machine to the cloud. It is not malicious and is being abused to load the actor’s DLL. Once OneDriveUpdater.exe is executed, the following actions occur:
  • Since Version.dll is a dependency DLL of OneDriveUpdater.exe and exists in the same directory as OneDriveUpdater.exe, it will be loaded.
  • Version.dll has been modified by the actors to load an encrypted payload file, OneDrive.update. The modification decrypts the file and in-memory loads the first stage of shellcode. To maintain code capabilities, the actors use DLL API proxying to forward requests to the legitimate version.dll named vresion.dll. Vresion.dll is a dependency file of the actor’s version.dll and will be loaded with the actor’s version.dll.
  1. The in-memory code, that is Brute Ratel C4, executes as a Windows thread in the RuntimeBroker.exe process space and begins to communicate with an IP on TCP port 443.

jeethmathai_0-1675116599811.png

Execution flow of delivering Brute Ratel C4

 

In another sample similar to the previous one, there are a few notable differences:

  • This ISO does not contain a shortcut LNK file and relies on the victim double clicking the onedrive_fotos.exe binary to load the malicious DLL.
  • The initial shellcode is embedded in the hidden DLL and not present as another file in the ISO archive. 

 

 
 
jeethmathai_2-1675175103257.png

A high-level overview of the initial access attack vector

 

Brute Ratel C4 Overview

Badgers

A Badger is Brute Ratel’s payload for remote access. Badgers support egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP. SMB and TCP are peer-to-peer connections for inter-network communications. Badgers are asynchronous and multi-threaded in nature. It will connect back to the Brute Ratel Server every few seconds/minutes/hours as configured with the sleep and jitter values, fetch tasks queued on the Ratel server, run them and return a response as per the sleep cycle. Badgers communicate to each other and to the server over a custom encrypted channel for all types of Badgers i.e. DOH, HTTP, HTTPS, SMB and TCP.

 

Brute Ratel C4 Server

The Ratel Server is an API driven server which works over HTTP, DNS and WebSocket. Ratel server primarily operates over WebSocket to take commands from the UI/Operator’s client and either consume the request or forward the command in the request to the Badger. All requests and responses, sent and received by the Ratel server are in JSON. The Ratel server also accepts a few command-line arguments. The user can start the server by providing the required command-line arguments or provide a JSON configuration file (C4 Profile) and automate several tasks on the server. Alternatively, it also accepts a certificate and a key file which it uses for HTTPS and WebSocket connections.

 

C4 Profiles

Listener Profile

Listener profiles can be written in JSON to autostart the listeners when the Ratel server started. Only HTTP/HTTPS listeners (DOH inclusive) can be configured to autostart, since the SMB and TCP listeners are run directly on the Badgers during pivoting. Below is an example of an HTTPS Listener containing a JSON malleable profile and a DNS over HTTPS profile. When a new listener is created using the Commander/Operator, it will autogenerate these profiles and store them in memory.

 

{

    “listeners”: {

        “Primary-Https”: {

            “auth_count”: 1,                    // number of authentication keys

            “auth_type”: false,                             // false = Regular keys, true = One Time Auth keys

            “c2_authkeys”: [

                “abcd@123”                      // command connection authentication keys in an array

            ],

            “c2_uri”: [

                “content.php”,                           // command connection URIs in an array

                “admin.php”,

                “login.php”,

                “content.js”,

                “api”

            ],

            “extra_headers”: {                           // any extra headers in key/value format

                “Cache-Control”: “no-cache”,

                “Cookie”: “1babbba6265ca2eba78b6”,

                “Host”: “test.azureedge.net”,

                “Pragma”: “no-cache”,

                “Referer”: “https://mail.microsoft.com”,

                “x-pm-apiversion”: “3”,

                “x-pm-appversion”: “Web_3.16.33”,

                “x-pm-uid”: “d0e1f5b0dc08202064de25a”

            },

            “host”: “192.168.0.142”,                     // bind host to listen on

            “is_random”: false,                      // should be ‘false’. It is usually created by the server to autogenerate keys. Reserved for future use

            “os_type”: “windows”,               // should be ‘windows’. Reserved for future use.

            “port”: “443”,             // port to listen on

            “rotational_host”: “192.168.0.142”,   // rotational hosts connection by commas

            “ssl”: true,                        // ssl enabled or disabled

            “useragent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36”,             // user-agent for the payload

            “die_offline”: true                 // should be ‘true’ or ‘false. This kills the payload if internet connectivity is not available during initial connection.

            “proxy”: https://192.168.0.102:8081    // optional proxy server for the payload to connect to, can be http or https

        },

        “Primary-DOH”: {

            “auth_count”: 1,                        // number of authentication keys

            “auth_type”: false,                     // false = Regular keys, true = One Time Auth keys

            “c2_authkeys”: [

                “abcd@123”                          // comma connection authentication keys in an array

            ],

            “c2_uri”: [

                “dns-query”                         // command connection URIs in an array

            ],

            “extra_headers”: {                      // any extra headers in key/value format

                “Content-Type”: “application/dns-message”

            },

            “host”: “192.168.0.142”,                // bind host to listen on

            “is_random”: false,                     // should be ‘false’. It is usually created by the server to autogenerate keys. Reserved for future use

            “os_type”: “windows”,                   // should be ‘windows’. Reserved for future use.

            “port”: “443”,                          // port to listen on

            “dnshost”: “dns1.evasionlabs.com”,      // DNS hosts to be queried

            “rotational_host”: “dns.google”,        // rotational DNS servers connection by commas

            “idleA”: “8.8.4.4”,                     // IP to respond for A records request for no commands in listener bucket

            “spoofTxt”: “google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o”,       // spoofed TXT records exposed to public

            “checkinA”: “8.8.8.8”,                  // IP to respond for A records request for checking in

            “ssl”: true,                            // ssl enabled or disabled

            “useragent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) “,        // user-agent for the payload

            “die_offline”: true                     // should be ‘true’ or ‘false. This kills the payload if internet connectivity is not available during initial connection.

            “proxy”: “https://192.168.0.102:8081”   // optional proxy server for the payload to connect to, can be http or https

        }

    }

}

Sample profile

 

 

Payload Profiles

Payload profiles provide a variety of options to configure and build payloads. These payload configurations work independent of the Listener Profiles. These new profiles can be used dynamically during process injections, profile migration or to create new executable/shellcode/dll/ps1 or service executables. There are 4 types of payload profiles

  • DOH (DNS over HTTPS)
  • HTTP/HTTPS
  • TCP
  • SMB

 

Command Profile

C4 profiles allow users to configure custom commands. C4 profiles can be configured to use:

  • Reflective DLLs using the register_dll command
  • Register a C# executble using the register_pe command
  • Register a Buffer OverFlow using register_obj command

 

 

Network Communications

Brute Ratel uses a custom encryption algorithm to encrypt the data on network between Badgers and the c4 server. This encryption is performed using either a random key or one provided by the operator. If an operator does not provide an encryption key, the server generates it randomly. This layer of encryption rests below the SSL layer. If any Network-based EDR or network intrusion detection system tries to sniff the traffic using SSL decryption, the inner layer would still be encrypted and appear garbage to the network intrusion detection system. 

 

Based on a traffic analyzed, NetWitness Packet core was able to detect TCP beacon traffic from the Badger.

jeethmathai_1-1675117282048.png

 

The Badger sends the following data to the C4 listener IP as a POST request.

jeethmathai_2-1675117294973.png

 

Another interesting aspect of this Badger is that it periodically reaches out to ctldl.windowsupdate.com which is hardcoded within the binary. This is likely a cloaking mechanism to throw off AV/EDR/Sandboxes.

jeethmathai_3-1675117305414.png

 

 

 

NetWitness Detections

The following detections were created to detect Brute Ratel C4 being used by a group known as APT29.

  • boc=suspicious tcp beaconing
  • boc=Brute Ratel C4 ISO Link File Creation
  • Brute Ratel C4 Yara rules [Community]

 

Indicators of Compromise

IOCs:

Name: Roshan_CV.iso

SHA256:1fc7b0e1054d54ce8f1de0cc95976081c7a85c7926c03172a3ddaa672690042c

Name: fotos.iso
SHA256: 
b5378730c64f68d64aa1b15cb79088c9c6cb7373fcb7106812ffee4f8a7c1df7

Name: version.dll
SHA256: 
cab0da87966e3c0994f4e46f30fe73624528d69f8a1c3b8a1857962e231a082b

SHA256: ea2876e9175410b6f6719f80ee44b9553960758c7d0f7bed73c0fe9a78d8e669

File: brute-dll-agent.bin (in-memory)
SHA256: 
392768ecec932cd22511a11cdbe04d181df749feccd4cb40b90a74a7fdf1e152

File: versions.dll
SHA256: 
e549d528fee40208df2dd911c2d96b29d02df7bef9b30c93285f4a2f3e1ad5b0

File: ONEDRIVE.EXE
SHA256: 
a8f50e28989e21695d76f0b9ac23e14e1f8ae875ed42d98eaa427b14a7f87cd6

SHA256: 9f34aa66946343b96a100a16fad02bb669b68d52aeab0bc03c6f58e8695d43cb

 

 

MITRE ATT&CK Tactics and Techniques

Execution TA0002

Scripting T1064:

Executes commands using a shell command-line interpreter

Shared Modules T1129

 

Privilege Escalation TA0004

Process Injection T1055:

Maps a DLL or memory area into another process

Creates a thread in another existing process (thread injection)

Spawns processes

Creates a process in suspended mode (likely to inject code)

DLL Side-Loading T1574.002

 
Defense Evasion TA0005

Masquerading T1036:

Creates files inside the user directory

Process Injection T1055:

Maps a DLL or memory area into another process

Creates a thread in another existing process (thread injection)

Spawns processes

Creates a process in suspended mode (likely to inject code)

Virtualization/Sandbox Evasion T1497:

May sleep (evasive loops) to hinder dynamic analysis

Checks if the current process is being debugged

Timestomp T1070.006:

Binary contains a suspicious time stamp

Hidden Files and Directories T1564.001:

Creates hidden files, links and/or directories

 
Discovery TA0007

Remote System Discovery T1018:

Reads the hosts file

Process Discovery T1057:

Queries a list of all running processes

System Information Discovery T1082:
Queries the volume information (name, serial number etc) of a device
Reads software policies
Queries the cryptographic machine GUID

File and Directory Discovery T1083:

Enumerates the file system

Virtualization/Sandbox Evasion T1497:

May sleep (evasive loops) to hinder dynamic analysis

Checks if the current process is being debugged

Security Software Discovery T1518.001:

Checks if the current process is being debugged

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

 
Command and Control TA0011

Application Layer Protocol T1071:

Uses HTTPS

Performs DNS lookups

Encrypted Channel T1573:

Uses HTTPS

 

 

Conclusion

BRc4 is equipped with a wide variety of features, such as process injection, automating adversary TTPs, capturing screenshots, uploading and downloading files, support for multiple command-and-control channels, and the ability to keep memory artifacts concealed from anti-malware engines, among others.

The emergence of this new penetration testing and adversary emulation capability is significant. Yet more alarming is the effectiveness of BRc4 at defeating modern defensive EDR and AV detection capabilities. As this framework grows in popularity with threat actors, it is important to understand the many ways in which it can be detected.

 

References:

Brute Ratel C4 Red Teaming Tool Being Abused by Malicious Actors (paloaltonetworks.com)

https://bruteratel.com/

https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html

https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/

https://blog.spookysec.net/analyzing-brc4-badgers/

 

  • APT29
  • BRC4
  • MITRE ATT&CK
  • Red Teaming Tool
5 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • FirstWatch Threat Spotlight: Truly Asynchronous AsyncRAT
  • File Activity Alert Optimization in Multi-EPS Deployment
  • Threat Profile Series: An Introduction to Royal Ransomware
  • FirstWatch Threat Spotlight: APT-C-36
  • Integration of OPSWAT MetaAccess with Netwitness
  • DCSync Detection with NetWitness
  • FirstWatch Threat Spotlight: Brute Ratel C4
  • Hunting Misconfigured Web Applications
  • Examining APT27 and the HyperBro RAT
  • FirstWatch Threat Spotlight: DarkTortilla
Labels
  • Announcements 60
  • Events 4
  • Features 10
  • Integrations 8
  • Resources 63
  • Tutorials 27
  • Use Cases 24
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.