Brc4

BRc4 is a malware associated with Brute Ratel C4, a new red-teaming and adversarial attack simulation tool. The malware operates by modifying the Windows registry to ensure persistence across reboots, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. It communicates with multiple Command and Control (C2) domains, such as bazarunet[.]com and tiguanin[.]com, enabling remote access and command execution on compromised systems. BRc4 uses a mixture of "Asynchronous Procedure Calls, Windows Event Creation, Wait Objects and Timers" for its operations. The malware was discovered in samples that contained a malicious payload disguised as legitimate software (vierm_soft_x64.dll under rundll32 execution). These scripts retrieved an MSI installer, which deployed Brute Ratel C4. Interestingly, the ISO containing the malware was assembled on May 17, 2022, coinciding with the release date of the new BRc4. In terms of capabilities, BRc4 advertises various features, but these are not specified here. This executive summary provides an overview of BRc4, a detailed analysis of the malicious sample, a comparison between the packaging of this sample and a recent APT29 sample, and a list of indicators of compromise (IoCs) that can be used to hunt for this activity. When expanding the scope into the top 20 C2 detections, we see a more well-rounded C2 environment including new families, such as Brute Ratel (BRc4) and BumbleBee alongside mainstays such as PlugX, AsyncRAT, IcedID and DarkComet. The detections documented in v1.0 for post-exploitation actions remain relevant and offer an effective means of detection for BRC4 post-exploitation.