Brute Ratel: The New Red Teaming Tool Coopted by CTAs
Digital technology is inherently dual-use in that it can help someone fulfill legitimate or malicious purposes. There's no exception when it comes to adversary simulation software. Take Cobalt Strike as an example. Just as defenders are using this solution to test their organization’s security defenses, so too are cyber threat actors (CTAs) seizing on the technology to penetrate their victims’ networks.
But technology – and the attack landscape that abuses it – is always changing. In recent weeks, for instance, the Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing Analysis Center (MS-ISAC) has seen CTAs moving away from Cobalt Strike and towards a new capability called "Brute Ratel." Let’s look at this development below.
What Is Brute Ratel?
Brute Ratel is a legitimate red team analysis and adversary simulation tool made by Chetan Nayak, an infosec professional who's done a lot of penetration testing in his career. It has functionality that's similar to Cobalt Strike; teams can use it for reconnaissance, browser pivoting, payload attachments, and other purposes. But it also comes with certain evasive features that could explain the shift in the attack landscape.
These specs include the following:
- Detecting EDR userland hooks: The solution comes with techniques for spotting endpoint detection and response (EDR) userland hooks and DLLs. If it finds a hook, it uses syscall obfuscation and debugging tactics to evade detection by these services and remain hidden.
- Patching event tracing for Windows: Event tracing on Windows machines functions like a log. It's useful for tracing back events that have occurred on a machine. Brute Ratel takes this feature into account and uses a badger to patch event tracing, thus complicating the process of incident detection and response.
- Writing custom C2 channels over legitimate sites: Finally, Brute Ratel comes with an SMB and TCP badger that can write custom external C2 Channels over Slack, Discord, and other legitimate websites. This complicates detection and makes it easier for attackers to remain connected to a targeted system.
How Attackers Are Coopting Brute Ratel
Brute Ratel includes several mechanisms for verifying users who are interested in purchasing a license. According to the solution's pricing page, Nayak and his team first verify an interested party's business and work history. This process involves confirming that the party has an official business email address and domain. Following verification, the Brute Ratel team authorizes a license purchase to proceed, but it accepts payments only via bank wire transfers to ensure that payment originates from a legitimate source. It goes on to explain that it can "cancel the license and provide help to the law enforcement office" in the event it finds that a buyer is misusing its software.
Attackers are finding their way around these steps, however. Some are creating fake U.S. companies to make their way through the verification process, noted Bleeping Computer. Others are relying on customers' disgruntled employees and other insiders to sell licenses on the dark web.
Bruteratel for sale anyone? pic.twitter.com/eKLH140NGe
— Andrew Northern (@ex_raritas) July 18, 2022
Once they have a license, CTAs can incorporate Brute Ratel into their attack chain. Sophos recently detected the BlackCat ransomware operation abusing the solution, for instance. The security firm found that the attackers had used a Windows service called "wewe" to install a Brute Ratel binary on at least one targeted machine.
How to Protect Against Attacks Involving Brute Ratel
When asked to explain how organizations can protect themselves against attacks involving Brute Ratel, the MS-ISAC CTI team said it's "tricky."
"The common means of defense are EDR and anti-virus, but Brute Ratel evades these capabilities," the team clarified. "Organizations can keep updating their lists in terms of malicious activity. But as with all red team tools, they can also try to look out for reconnaissance techniques, initial scanning, and other activity that could be indicative of adversary simulation software like Brute Ratel."
Towards this end, organizations might consider implementing CIS Control 18 of the CIS Critical Security Controls v8. This will help them to familiarize themselves with penetration testing so that they can get used to detecting this type of activity.
Additional Recourse for SLTTs
The threat landscape continues to evolve, which is why MS-ISAC remains committed to protecting U.S. State, Local, Tribal, and Territorial (SLTT) government organizations against attackers’ abuse of Brute Ratel and other tools. Those organizations can join MS-ISAC to receive regular threat briefings and alerts so that they can better protect themselves going forward.