A recent report reveals how cyber threat actors have started using the adversary simulation tool Brute Ratel C4 (BRc4) to find ways to evade endpoint security detection and successfully penetrate supposedly secure networks. These unidentified threat actors managed to deliver the BRc4 “badger” payload for remote access, which was not flagged as malicious by most existing security tools.
Threat Actors Now Use Adversary Simulation to Evade Endpoint Security
This shows that adversary simulation does not only benefit security defenders. Its advantages can also be harnessed by malicious actors to overcome defenses. The red and purple team tools available to cybersecurity professionals are also available and can be useful to the very adversaries these tools are meant to combat.
Defeating endpoint security?
To be clear, this attack that leveraged the Brute Ratel C4 tool does not mean that endpoint security solutions have effectively become useless. The failure of most security tools to detect the malicious payload only lasted for a relatively brief period. After it was discovered, security controls have been quickly updated to detect this novel attack method.
Many endpoint security solutions at present already incorporate MITRE ATT&CK and other security frameworks. They share cyber threat intelligence globally, which helps ensure that newly discovered attacks are promptly communicated to all concerned parties for them to implement the necessary updates and be able to detect existing and new attacks effectively.
Also, the report (cited in the first paragraph) says that there were two out of the 66 endpoint security products tested successfully detected the anomalous payload. Some security products do better than others, and there is nothing unusual about that. Security vendors have different capabilities in dealing with zero-day assaults or threats that have not been added yet to their threat intelligence centers.
How the role of ‘BRc4 simulation was discovered
One of the malicious files observed to have evaded detection was an ISO file that was made to appear as a CV submission. If the target double clicks on this deceptive file, the command prompt is launched along with OneDriverUpdater.exe.
Then, a modified Version.dll file loads an encrypted payload file called OneDrive.update, which is then decrypted and loads the first stage of shellcode. This code is run as a Windows thread in RuntimeBroker.exe and starts to get in contact with the IP 174.129.157[.]251 on TCP port 443.
A similar malicious file called badger_x64.exe was discovered. This communicated with the IP 159.65.186[.]50 on port 443. The security researchers found additional connections to this malicious file (after it was executed), which made it possible to identify potential victims of the breach in North and South America.
The security researchers who studied this new scheme noted that the malicious files communicated with IP addresses that employ self-signed SSL certificates, known to impersonate Microsoft Security. As they dug further, they learned that there were further attempts to contact dozens more IP addresses and seven samples of BRc4.
“Currently, 12 vendors identify the sample as malicious with eight classifying this sample as ‘Brutel,’ further supporting that our in-memory code is somehow associated with that of Brute Ratel C4,” the researchers explained.
Moreover, the use of an ISO file described above resembles the way APT29 or Cozy Bear works. Because of this, the researchers think that the threat actors are using BRc4 to generate their anomalous payloads. This is just a suspicion, though, but a number of researchers are reportedly considering the possibility that threat actors are keen on using the Brute Ratel tool to aid their attacks.
From Cobalt Strike to Brute Ratel
The use of an adversary simulation and red teaming solution is not new. It has been done with Cobalt Strike before. Ransomware operators and other cybercriminals have reportedly been sharing cracked versions of this simulation tool to attack corporate networks and spread malicious files laterally.
Threat actors are said to be shifting to Brute Ratel, though. While Brute Ratel is not exactly described by security researchers as significantly more powerful and more sophisticated than Cobalt Strike, it stands out for its endpoint security thrust.
Security researchers characterize Brute Ratel as “uniquely dangerous.” It is a solution particularly created to get around endpoint detection and response (EDR) and antivirus functions to help security teams in bolstering their defenses. However, it is now apparently also serving the interests of threat actors.
A well-intentioned cybersecurity product
Sought for comment on the recent findings, Brute Ratel creator Chetan Nayak expressed willingness to cooperate with those who are working to address this emerging threat involving the adversary simulation tool.
In a now-deleted Twitter post, Nayak wrote “I am available to contact and ready to help the respective authorities to provide relevant information.” Also, Nayak dismissed the comments of some security researchers that ransomware gangs are the ones using the Brute Ratel tool for nefarious purposes. “Well it’s not ransomware gangs, but due to NDA, can’t disclose much…”
Nayak says that there is some vetting process undertaken before selling the Brute Ratel tool to users, to make sure that it is not being misused or abused. “We only sell the product to registered companies and individuals with an official business email address/domain after verifying the business and the person’s work history,” Brute Ratel’s website indicates.
However, there are no guarantees that the tool does not go into the hands of cybercriminals. Brute Ratel’s website, nevertheless, insists that the use of Brute Ratel for malicious activities is not authorized. “If we find that the software is being used for malicious activity, we reserve the right to cancel the license and provide help to the law enforcement office.”
What needs to be done
It is unreasonable to expect that it is practically possible to ascertain that only legitimate companies or individuals get access to the Brute Ratel adversary simulation and red teaming solution. Cybercriminals will always find ways to get what they want.
What is doable is for EDR vendors and cybersecurity solution providers, in general, to update their services to enable the detection of all Brute Ratel activities and take proactive measures against the threats it can pose. The security researchers who exposed this new threat have already shared the IoCs and file samples related to this new threat. Cybersecurity firms need to update their systems in response.
On the part of enterprises and others users of endpoint security solutions, it is recommended to update security systems as soon as possible. It is a good idea to send inquiries to security providers to make sure that the security solutions put in place are already capable of detecting Brute Ratel activity.
Additionally, since MITRE ATT&CK has already mapped this new threat, it would help for organizations to integrate this framework or use security validation platforms that incorporate MITRE ATT&CK as part of their security posture.
Is Microsoft Defender for Endpoint Security good enough?
The OS native Windows Defender is not a bad defense against endpoint attacks. However, Microsoft has not released any statement regarding the ability of Windows Defender to catch Brute Ratel activity. There are reasons to believe, though, that Microsoft is already working on it or has already put out an update.
Also, Microsoft is one of the users of the MITRE ATT&CK framework. Microsoft Defender for Endpoint undertook the MITRE Engenuity ATT&CK® Evaluation and emerged as one of the industry leaders when it comes to stopping advanced endpoint attacks across different platforms.
The recently discovered Brute Ratel threat proves how ingenious cyber criminals are. They can turn tools used for cyber protection into tools that can break defenses. Fortunately, the cybersecurity community has no scarcity of collaboration, frameworks, tools, and generous experts who share their latest findings and solutions. It is up to organizations and other potential cyber attack targets to use these to their advantage.