Brute Ratel

Malware updated 22 days ago (2024-11-29T14:34:47.326Z)
Download STIX
Preview STIX
Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. Various samples of this malware have been identified and analyzed to understand its structure and functioning better. Over time, many hosting providers have ceased support due to stricter no-malware policies, but the malware continues to evolve and find new ways to infiltrate systems. The malware came into the spotlight again on October 30, 2024, when EclecticIQ reported a campaign by LUNAR SPIDER that used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. The malicious files were also found to be delivering multiple payloads including Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). A certificate was used to sign a dynamic-link library DLL that loaded the offensive security tool known as Brute Ratel C4. Attackers have been using lure documents to target diplomatic staff, attempting to deliver their custom loaders to drop public post-exploitation tools such as Cobalt Strike or Brute Ratel C4. Additionally, the SharpHound utility is run via Brute Ratel in an injected svchost.exe process to output JSON files that are ingested into BloodHound. ALPHV Blackcat affiliates have claimed to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. These tools provide “beacons” to command and control servers, while open-source adversary-in-the-middle (AitM) attack framework Evilginx2 enables them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies.
Description last updated: 2024-11-15T16:06:06.656Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Brc4 is a possible alias for Brute Ratel. BRc4 is a malware associated with Brute Ratel C4, a new red-teaming and adversarial attack simulation tool. The malware operates by modifying the Windows registry to ensure persistence across reboots, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Ransomware
Malware
Payload
Windows
Exploit
Implant
Apt
Spearphishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Black Basta Malware is associated with Brute Ratel. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
5
The QakBot Malware is associated with Brute Ratel. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
5
The Qbot Malware is associated with Brute Ratel. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 Unspecified
2
The Conti Malware is associated with Brute Ratel. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
2
The PlugX Malware is associated with Brute Ratel. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Brute Ratel. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
2
The The Dukes Threat Actor is associated with Brute Ratel. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in SeUnspecified
2
The Sandworm Threat Actor is associated with Brute Ratel. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
2
Source Document References
Information about the Brute Ratel Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Contagio
a month ago
InfoSecurity-magazine
4 months ago
DARKReading
a year ago
Securityaffairs
6 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CISA
a year ago
DARKReading
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
CERT-EU
a year ago
Recorded Future
a year ago
BankInfoSecurity
a year ago
CISA
a year ago