Brc4

Malware updated 23 days ago (2024-11-29T13:32:56.414Z)
Download STIX
Preview STIX
BRc4 is a malware associated with Brute Ratel C4, a new red-teaming and adversarial attack simulation tool. The malware operates by modifying the Windows registry to ensure persistence across reboots, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. It communicates with multiple Command and Control (C2) domains, such as bazarunet[.]com and tiguanin[.]com, enabling remote access and command execution on compromised systems. BRc4 uses a mixture of "Asynchronous Procedure Calls, Windows Event Creation, Wait Objects and Timers" for its operations. The malware was discovered in samples that contained a malicious payload disguised as legitimate software (vierm_soft_x64.dll under rundll32 execution). These scripts retrieved an MSI installer, which deployed Brute Ratel C4. Interestingly, the ISO containing the malware was assembled on May 17, 2022, coinciding with the release date of the new BRc4. In terms of capabilities, BRc4 advertises various features, but these are not specified here. This executive summary provides an overview of BRc4, a detailed analysis of the malicious sample, a comparison between the packaging of this sample and a recent APT29 sample, and a list of indicators of compromise (IoCs) that can be used to hunt for this activity. When expanding the scope into the top 20 C2 detections, we see a more well-rounded C2 environment including new families, such as Brute Ratel (BRc4) and BumbleBee alongside mainstays such as PlugX, AsyncRAT, IcedID and DarkComet. The detections documented in v1.0 for post-exploitation actions remain relevant and offer an effective means of detection for BRC4 post-exploitation.
Description last updated: 2024-11-15T16:06:29.374Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Brute Ratel is a possible alias for Brc4. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. Vari
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Brc4 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more