Brute Ratel C4
Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[1][2][3][4][5]
Associated Software Descriptions
| Name | Description |
|---|---|
| BRc4 |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Brute Ratel C4 can use WMI to move laterally.[2] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
Brute Ratel C4 has the ability to upload files from a compromised system.[2] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.[2] |
| .008 | 伪装: Masquerade File Type |
Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.[2] |
||
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.[2] |
| .002 | 劫持执行流: DLL Side-Loading |
Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.[2] |
||
| Enterprise | T1572 | 协议隧道 |
Brute Ratel C4 can use DNS over HTTPS for C2.[2][5] |
|
| Enterprise | T1620 | 反射性代码加载 |
Brute Ratel C4 has used reflective loading to execute malicious DLLs.[3] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.[2] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Brute Ratel C4 can use cmd.exe for execution.[2] |
| Enterprise | T1482 | 域信任发现 |
Brute Ratel C4 can use LDAP queries and |
|
| Enterprise | T1562 | .006 | 妨碍防御: Indicator Blocking |
Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI).[2][3] |
| Enterprise | T1113 | 屏幕捕获 |
Brute Ratel C4 can take screenshots on compromised hosts.[2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.[2][5] |
| .004 | 应用层协议: DNS |
Brute Ratel C4 can use DNS over HTTPS for C2.[2][5] |
||
| Enterprise | T1106 | 本机API |
Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.[2][3] |
|
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
Brute Ratel C4 can use |
| Enterprise | T1027 | 混淆文件或信息 |
Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.[2][3] |
|
| .007 | Dynamic API Resolution |
Brute Ratel C4 can call and dynamically resolve hashed APIs.[2] |
||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Brute Ratel C4 has gained execution through users opening malicious documents.[2] |
| Enterprise | T1558 | .003 | 窃取或伪造Kerberos票据: Kerberoasting |
Brute Ratel C4 can decode Kerberos 5 tickets and convert it to hashcat format for subsequent cracking.[2] |
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Brute Ratel C4 can create Windows system services for execution.[2] |
| Enterprise | T1102 | 网络服务 |
Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.[2] |
|
| Enterprise | T1046 | 网络服务发现 |
Brute Ratel C4 can conduct port scanning against targeted systems.[2] |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
Brute Ratel C4 can call |
| Enterprise | T1087 | .002 | 账号发现: Domain Account |
Brute Ratel C4 can use LDAP queries, |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Brute Ratel C4 can detect EDR userland hooks.[2] |
| Enterprise | T1105 | 输入工具传输 |
Brute Ratel C4 can download files to compromised hosts.[2][6] |
|
| Enterprise | T1057 | 进程发现 |
Brute Ratel C4 can enumerate all processes and locate specific process IDs (PIDs).[2] |
|
| Enterprise | T1055 | .002 | 进程注入: Portable Executable Injection |
Brute Ratel C4 has injected Latrodectus into the Explorer.exe process on comrpomised hosts.[6] |
| Enterprise | T1021 | 远程服务 |
Brute Ratel C4 has the ability to use RPC for lateral movement.[2] |
|
| .002 | SMB/Windows Admin Shares |
Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.[2][3][1] |
||
| .006 | Windows Remote Management |
Brute Ratel C4 can use WinRM for pivoting.[2] |
||
| Enterprise | T1095 | 非应用层协议 |
Brute Ratel C4 has the ability to use TCP for external C2.[2] |
|
References
- Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023.
- Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
- Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
- Thomas, W. (2022, October 5). Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground. Retrieved February 6, 2023.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- Elkins, T. (2024, July 24). Malware Campaign Lures Users With Fake W2 Form. Retrieved September 13, 2024.