Cobalt Strike has for years been one of the most popular toolkits used by attackers to deploy command and control (C2) beacons onto compromised devices. These beacons can perform network surveillance, allow remote access, and execute commands, including the activation of ransomware payloads. Red teamers and penetration testers also make use of Cobalt Strike, and countless hours have been dedicated to various antivirus vendors being able to quickly and safely identify and block its actions. In a recent report by Palo Alto Unit 42, researches have noticed advanced persistent threat groups moving away from Cobalt Strike and instead opting to use Brute Ratel for their post-exploitation activities.
Some background: Brute Ratel Command and Control Center (BRc4) was released in 2020 as an alternative to Cobalt Strike for penetration testing. Similar to Cobalt Strike, Brute Ratel deploys beacons (known as ‘Badgers’) to compromised remote hosts. These badgers connect back to the attacker’s C2 server to receive instructions or transmit data. The primary difference for attackers is BRc4’s design and ability to evade detection by EDR and antivirus solutions. Unit 42’s report gives examples of this evasion, as their samples have gone undetected by various EDR and AV providers. There is also a dearth of related information from cybersecurity aggregates like VirusTotal.
Brute Ratel currenctly costs $2,500 per user for a one-year license, with customers required to provide a business email address and be verified. Brute Ratel’s pricing page explains that this verification is a manual process, raising questions about how the threat actors seen in the wild received software licenses. In Unit 42’s example, the license used in the attacks had been leaked by a disgruntled employee of one of Brute Ratel’s customers. This particular license was revoked, but other cybersecurity firms report that former ransomware gang members have been able to acquire Brute Ratel licenses using made up business details.
For additional details on Brute Ratel, its actions and known Indicators of Compromise, please see Unit 42’s report at: https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
