Brute Ratel C4

Overview

Brute Ratel C4 (Customised Command and Control Centre) is a commercial, full-featured, remote access tool that is incorporated as an adversary simulation software designed to execute targeted attacks and emulate the postexploitation actions of advanced threat actors. including APT291. Brute Ratel’s interactive post-exploit capabilities coverthe full range of Mite ATT&CK techniques, all of which are executed within a single, integrated system. Brute Ratel C4 is equipped with debugger programming that detects Endpoint Detection and Response (EDR) monitoring. The framework then takes action to avoid triggering detection, making the software particularly dangerous to network security. Additionally, Brute Ratel C4 is a malware as a service, therefore resulting in a vast scope of exploitability. The malware is primarily distributed via phishing emails and exploiting Dynamic Link Library (DLL) hijacking vulnerabilities in Windows operating systems. Brute Ratel C4 has also been implemented in conjunction with other malware variants such as Cobalt Strike and Qakbot.

Impact

The Brute Ratel C4 framework contains a debugger component that recognises EDR hooks, thus preventing detection. Brute Ratel also incorporates a visual interface for LDAP queries. Upon execution of the software, malicious payloads are dropped via DLL search order hijacking. The current version of the software offers the availability to form command-and-control channels via legitimate programmes, such as Microsoft Teams and Slack. The platform can leverage undocumented syscalls to avoid being detected and subsequently inject shellcode into process that have been previously activated2. Brute Ratel enables operators to deploy agents, called badgers, whilstin the realm of a target environment, that enable arbitrary command execution to perform lateral movement, privilege escalation, and establish additional channels of persistence.

 

Download Report.