Palo Alto Networks’ Unit 42 security researchers have uncovered that Russian state-sponsored hackers are compromising the latest Brute Ratel C4 or BRc4 red-teaming and adversarial simulation/penetration software in their latest and active attacks in an attempt to stay under the radar and evade detection.
Following the attack, Palo Alto Networks Unit 42 reported that a malware sample was uploaded to the VirusTotal database on May 19, 2022, in which they found a payload associated with Brute Ratel C4, a relatively new advanced toolkit that is designed to avoid detection and response (EDR) and antivirus (AV) capabilities.
“The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” said the network in their blog.
Cyber intelligence at the network believes that malicious actors are targeting entities worldwide, however, they are making their primary targets in South and North America.
The researchers issued a warning in which they urged the cybersecurity fraternity to investigate the attack and look in-depth for any sign of malware, including the BRc4 tool.
Researchers have found that the malicious payloads indicate the involvement of the Advanced Persistent Threat group 29, The Dukes, or Cozy Bear as the tactics employed were similar to this group. CozyBear is a Russian state-sponsored malicious group that was previously involved in the devastating Solar Winds attacks in 2020.
This commercial software was released in 2020 and has since gained over 480 licenses across 350 customers. BRc4 is equipped with a wide variety of features, it provides process injection, capturing screenshots, automating adversary TTPs, uploading and downloading files, support for multiple command-and-control channels, and it also has the ability to keep memory artifacts concealed from anti-malware engines.