Red-Teaming Tool Abused by Malicious Actors

In a new report from Palo Alto’s Unit 42, researchers have spotted threat actors moving away from Cobalt Strike to using Brute Ratel as their post-exploitation toolkit of choice. The post-exploitation toolkit, which evades detection by EDR and antivirus solutions, has been used for red team penetration testing since 2020. This change in tactics is significant as BRc4 is designed to evade detection by EDR and antivirus solutions, with almost all security software not detecting it as malicious when first spotted in the wild.

“While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated,” explains Unit 42’s report.

“Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.”

Dr. Darren Williams, CEO and Founder of BlackFog:

     “It has been known for several years now that AV software provides limited protection from modern ransomware and malware. New attack variants focus on techniques that are very difficult to detect with basic fingerprinting techniques these older solutions rely upon. State sponsored attacks are increasing at a rapid rate during 2022 and continue to focus on ways of launching custom payloads by traditional software and modified DLL’s.”

This report illustrates the need to have a layered defence to ransomware and malware. Thus if you’re responsible for defending against these sorts of attacks, this report from Unit 42 should be required reading.

Leave a Reply