Brute Ratel C4
Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[1][2][3][4][5]
Associated Software Descriptions
| Name | Description |
|---|---|
| BRc4 |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Brute Ratel C4 can use LDAP queries, |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.[2][5] |
| .004 | Application Layer Protocol: DNS |
Brute Ratel C4 can use DNS over HTTPS for C2.[2][5] |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Brute Ratel C4 can use cmd.exe for execution.[2] |
| Enterprise | T1005 | Data from Local System |
Brute Ratel C4 has the ability to upload files from a compromised system.[2] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.[2] |
|
| Enterprise | T1482 | Domain Trust Discovery |
Brute Ratel C4 can use LDAP queries and |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.[2] |
| .002 | Hijack Execution Flow: DLL Side-Loading |
Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.[2] |
||
| Enterprise | T1562 | .006 | Impair Defenses: Indicator Blocking |
Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI).[2][3] |
| Enterprise | T1105 | Ingress Tool Transfer |
Brute Ratel C4 can download files to compromised hosts.[2][6] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.[2] |
| .008 | Masquerading: Masquerade File Type |
Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.[2] |
||
| Enterprise | T1106 | Native API |
Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.[2][3] |
|
| Enterprise | T1046 | Network Service Discovery |
Brute Ratel C4 can conduct port scanning against targeted systems.[2] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
Brute Ratel C4 has the ability to use TCP for external C2.[2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.[2][3] |
|
| .007 | Dynamic API Resolution |
Brute Ratel C4 can call and dynamically resolve hashed APIs.[2] |
||
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Brute Ratel C4 can use |
| Enterprise | T1057 | Process Discovery |
Brute Ratel C4 can enumerate all processes and locate specific process IDs (PIDs).[2] |
|
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Brute Ratel C4 has injected Latrodectus into the Explorer.exe process on comrpomised hosts.[6] |
| Enterprise | T1572 | Protocol Tunneling |
Brute Ratel C4 can use DNS over HTTPS for C2.[2][5] |
|
| Enterprise | T1620 | Reflective Code Loading |
Brute Ratel C4 has used reflective loading to execute malicious DLLs.[3] |
|
| Enterprise | T1021 | Remote Services |
Brute Ratel C4 has the ability to use RPC for lateral movement.[2] |
|
| .002 | SMB/Windows Admin Shares |
Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.[2][3][1] |
||
| .006 | Windows Remote Management |
Brute Ratel C4 can use WinRM for pivoting.[2] |
||
| Enterprise | T1113 | Screen Capture |
Brute Ratel C4 can take screenshots on compromised hosts.[2] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Brute Ratel C4 can detect EDR userland hooks.[2] |
| Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
Brute Ratel C4 can decode Kerberos 5 tickets and convert it to hashcat format for subsequent cracking.[2] |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Brute Ratel C4 can create Windows system services for execution.[2] |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Brute Ratel C4 has gained execution through users opening malicious documents.[2] |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Brute Ratel C4 can call |
| Enterprise | T1102 | Web Service |
Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.[2] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
Brute Ratel C4 can use WMI to move laterally.[2] |
|
References
- Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023.
- Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
- Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
- Thomas, W. (2022, October 5). Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground. Retrieved February 6, 2023.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- Elkins, T. (2024, July 24). Malware Campaign Lures Users With Fake W2 Form. Retrieved September 13, 2024.