Malicious hackers have cracked the Brute Ratel C4 (BRC4) post-exploitation toolkit and published it for free across Russian-speaking and English-speaking hacking forums.
For those unfamiliar with BRC4, it is a post-exploitation toolkit originally designed by Chetan Nayak for red team threat analysts to replace Cobalt Strike in penetration testing utilities. The toolkit was specifically created to bypass detection by security solutions such as endpoint detection and response (EDR) and antivirus (AV).
According to Will Thomas, the cybersecurity researcher who first identified the breach, the toolkit’s potential for being put on other websites and for getting into the hands of multiple hackers might have catastrophic results.
How hackers cracked BRC4?
At first, threat actors created bogus firms to get around the license requirements for the usage of toolkit.
This was done because the developer of BRC4, Chetan Nayak has the authority to revoke the licenses for any customers exploiting Brute Ratel for nefarious activities.
However, Nayak claims that the uncracked version was uploaded to VirusTotal in mid-September, which was then cracked by the "Russian group Molecules" to remove the license check. He also accused MdSec of having done the upload, but it is still unclear who uploaded the files.
The hackers have now published the cracked version of the tool on multiple English and Russian-speaking communities, including CryptBB, RAMP, BreachForums, and Exploit[.]in, Xss[.]is, and Telegram and Discord groups.
“There are now multiple posts on multiple of the most populated cybercrime forums where data brokers, malware developers, initial access brokers, and ransomware affiliates all hang out,” said Thomas in the report.
Future remains uncertain
Thomas explained the potential dangers of the leaked toolkit, saying, it has the ability to design shellcode that is not easily detected by security software at this time.
“One of the most concerning aspects of the BRC4 tool for many security experts is its ability to generate shellcode that is undetected by many EDR and AV products. This extended window of detection evasion can give threat actors enough time to establish initial access, begin a lateral movement, and achieve persistence elsewhere,” the researcher added.
Knowing that this post-exploitation toolkit is in the hands of hackers who should never have gained secured access to it, is definitely spine-chilling. Let’s hope that antivirus software designers can enhance the security against Brute Ratel soon enough.
In the meantime, the researcher has advised security, windows, and network admins to review MdSec's blog on Brute Ratel C4 to learn more about spotting the software on their networks.