Ransomware gangs, APT groups ditch Cobalt Strike for Brute Ratel

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/ransomware-gangs-apt-groups-ditch-cobalt-strike-for-brute-ratel/

APT hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.

Corporate cybersecurity teams commonly consist of employees who attempt to breach corporate networks (red team) and those who actively defend against them (blue team). Both teams then share notes after engagements to strengthen the cybersecurity defenses of a network.

For years, one of the most popular tools in red team engagements has been Cobalt Strike, a toolkit allowing attackers to deploy "beacons" on compromised devices to perform remote network surveillance or execute commands.

While Cobalt Strike is legitimate software, threat actors have been sharing cracked versions online, making it one of the most popular tools used by hackers and ransomware operations to spread laterally through breached corporate networks.

In 2020, Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike, released Brute Ratel Command and Control Center (BRc4) as an alternative to Cobalt Strike for red team penetration testing engagements.

Like Cobalt Strike, Brute Ratel is an adversarial attack simulation tool that allows red teamers to deploy 'Badgers' (similar to beacons in Cobalt Strike) on remote hosts. These badgers connect back to the attacker's Command and Control server to receive commands to execute or transmit the output of previously run commands.

In a new report by Palo Alto Unit 42, researchers have spotted threat actors moving away from Cobalt Strike to using Brute Ratel as their post-exploitation toolkit of choice.

This change in tactics is significant as BRc4 is designed to evade detection by EDR and antivirus solutions, with almost all security software not detecting it as malicious when first spotted in the wild.

"While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated," explains Unit 42's report.

"Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal."

Ransomware gangs, APT groups ditch Cobalt Strike for Brute Ratel

APT hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.

www.bleepingcomputer.com

 

[Andy Ful]

Two years ago I made a special thread related to this attack method. It includes some more info about DLL hijacking and how to test the security layers against this method:

Advice Request - Testing DLL Search Order Hijacking against security features.

The DLL Search Order Hijacking is a well known (but not common) vector of attack. It is often performed via a vulnerable Microsoft EXE file or EXE signed by the well known reputable vendor. A popular way of exploiting this vulnerability is based on loading by the vulnerable EXE, one of the...

malwaretips.com

Here is also an interesting article from Bitdefender:

https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf

It seems that now such attacks are more often used as the initial attack vector and can also (rarely) affect home users. A few years ago they were mostly used to obtain persistence in the targeted attacks on Enterprises.