Pierluigi Paganini July 06, 2022

Threat actors are abusing legitimate adversary simulation software BRc4 in their campaigns to evade detection.

Researchers from Palo Alto Networks Unit 42 discovered that a sample uploaded to the VirusTotal database on May 19, 2022 and considered benign by almost all the antivirus, was containing a payload associated with Brute Ratel C4 (BRc4), a new red-teaming and adversarial attack simulation tool.

Unlike Cobalt strike beacons, BRc4 payloads are less popular, but with similar capabilities. The tool was specifically designed to avoid detection by security solutions such as endpoint detection and response (EDR) and antivirus (AV). Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.

“Brute Ratel is the most advanced Red Team & Adversary Simulation Software in the current C2 Market. It can not only emulate different stages of an attacker killchain, but also provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms.” reads the description of the tool on its website. “Brute Ratel comes prebuilt with several opsOpec features which can ease a Red Team’s task to focus more on the analytical part of an engagement instead of focusing or depending on Open source tools for post-exploitation. Brute Ratel is a post-exploitation C2 in the end and however does not provide exploit generation features like metasploit or vulnerability scanning features like Nessus, Acunetix or BurpSuite.”

The file was uploaded to VirusTotal on May 19, 2022, from Sri Lanka, it is named Roshan_CV.iso and poses as a curriculum vitae. Upon clicking on the ISO file, users are presented with an apparent harmless Word document, but after launching it the attack chain will start. An instance of the BRc4 is installed on the user’s machine and attempts to contact a remote server.

According to Unit42 experts, threat actors are spreading the ISO files via spear-phishing messages.

The delivery of packaged ISO files is typically sent via spear-phishing email campaigns, although it’s not clear if the same method was used to deliver the payload to the target environment.

The experts noticed that the composition of the ISO file, Roshan_CV.ISO, is highly compatible with TTPs associated with the Russia-linked APT29 group.

The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least 2014, along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is suspected to be the threat actor that launched the SolarWinds supply chain attack.

“The composition of the ISO file, Roshan_CV.ISO, closely resembles that of other nation-state APT tradecraft. The following table shows a side-by-side comparison of Roshan_CV.ISO and that of a previously identified APT29 sample (Decret.ISO).” reads the analysis published by Palo Alto Networks.

The researchers also spotted a second sample that was uploaded to VirusTotal from Ukraine a day after the ​​Roshan_CV.ISO file was uploaded. The experts observed significant code overlaps of a module used to load BRc4 into memory. Further investigation allowed the researchers to discovere seven more BRc4 samples dating back to February 2021.

The analysis of the C2 server allowed the experts to identify a number of potential victims, including an Argentinian organization, an IP television provider providing North and South American content, and a major textile manufacturer in Mexico.

“The emergence of a new penetration testing and adversary emulation capability is significant. Yet more alarming is the effectiveness of BRc4 at defeating modern defensive EDR and AV detection capabilities.

“Over the past 2.5 years this tool has evolved from a part-time hobby to a full-time development project with a growing customer base. As this customer base has expanded into the hundreds, the tool has gained increased attention across the cybersecurity domain from both legitimate penetration testers as well as malicious cyber actors.” concludes the report. “The analysis of the two samples described in this blog, as well as the advanced tradecraft used to package these payloads, make it clear that malicious cyber actors have begun to adopt this capability.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BRc4)

[adrotate banner=”5″]

[adrotate banner=”13″]