Ransomware gangs, APT groups ditch Cobalt Strike for Brute Ratel

Gandalf_The_Grey

Level 64
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,367
APT hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.

Corporate cybersecurity teams commonly consist of employees who attempt to breach corporate networks (red team) and those who actively defend against them (blue team). Both teams then share notes after engagements to strengthen the cybersecurity defenses of a network.

For years, one of the most popular tools in red team engagements has been Cobalt Strike, a toolkit allowing attackers to deploy "beacons" on compromised devices to perform remote network surveillance or execute commands.

While Cobalt Strike is legitimate software, threat actors have been sharing cracked versions online, making it one of the most popular tools used by hackers and ransomware operations to spread laterally through breached corporate networks.
In 2020, Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike, released Brute Ratel Command and Control Center (BRc4) as an alternative to Cobalt Strike for red team penetration testing engagements.

Like Cobalt Strike, Brute Ratel is an adversarial attack simulation tool that allows red teamers to deploy 'Badgers' (similar to beacons in Cobalt Strike) on remote hosts. These badgers connect back to the attacker's Command and Control server to receive commands to execute or transmit the output of previously run commands.

In a new report by Palo Alto Unit 42, researchers have spotted threat actors moving away from Cobalt Strike to using Brute Ratel as their post-exploitation toolkit of choice.

This change in tactics is significant as BRc4 is designed to evade detection by EDR and antivirus solutions, with almost all security software not detecting it as malicious when first spotted in the wild.

"While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated," explains Unit 42's report.

"Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal."
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
Two years ago I made a special thread related to this attack method. It includes some more info about DLL hijacking and how to test the security layers against this method:

Here is also an interesting article from Bitdefender:

It seems that now such attacks are more often used as the initial attack vector and can also (rarely) affect home users. A few years ago they were mostly used to obtain persistence in the targeted attacks on Enterprises.
 
Last edited:
Top