Brute Ratel

Malware updated a month ago (2024-09-04T17:17:42.280Z)

Download STIX

Preview STIX

Brute Ratel is a malicious software (malware) that has been increasingly used by cyber threat actors to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, Brute Ratel can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware is known to deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). Additionally, it has been utilized to sign a dynamic-link library DLL that loads the offensive security tool known as Brute Ratel C4. Cyber attackers have been observed using forged lure documents to target diplomatic staff, attempting to deliver their custom loaders to drop public post-exploitation tools such as Cobalt Strike or Brute Ratel C4. In one instance, the SharpHound utility was run via Brute Ratel in an injected svchost.exe process to output JSON files that were ingested into BloodHound, describing various aspects of the Active Directory Organisational Units, Group Policies, Domains, User Groups, Computers, and Users. The ALPHV Blackcat affiliates have claimed to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. These tools provide "beacons" to these servers, while the open-source adversary-in-the-middle (AitM) attack framework Evilginx2 enables them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. Qakbot-affiliated actors have also been noted to increasingly use Brute Ratel as a vehicle to drop other malware, most notably Cobalt Strike, Brute Ratel, and a slew of ransomware.

Description last updated: 2024-09-04T17:15:44.390Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Cobalt Strike

Ransomware

Malware

Exploit

Windows

Implant

Apt

Payload

Spearphishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The QakBot Malware is associated with Brute Ratel. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includin	Unspecified	5
The Black Basta Malware is associated with Brute Ratel. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vul	Unspecified	5
The PlugX Malware is associated with Brute Ratel. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2
The Conti Malware is associated with Brute Ratel. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	Unspecified	2
The Qbot Malware is associated with Brute Ratel. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fi	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Brute Ratel. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la	Unspecified	2
The The Dukes Threat Actor is associated with Brute Ratel. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and Nobelium, is a threat actor associated with the Russian government that has been active since at least 2008. Notably, this group was implicated in the 2015 attack on the American Democratic National Committee (DNC). The FBI alerted th	Unspecified	2
The Sandworm Threat Actor is associated with Brute Ratel. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whi	Unspecified	2

Source Document References

Information about the Brute Ratel Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	a month ago	Red Teaming Tool Abused for Malware Deployment
DARKReading	a year ago	RedHotel Checks in as Dominant China-Backed Cyberspy Group
Securityaffairs	4 months ago	Russia-linked APT Nobelium targets French diplomatic entities
CERT-EU	8 months ago	ALPHV Blackcat, GCP-Native Attacks, Bandook RAT, NoaBot Miner, Ivanti Secure Vulnerabilities, and More: Hacker’s Playbook Threat Coverage Round-up: February 2024
CERT-EU	8 months ago	US Government Warns Healthcare is Biggest Target for BlackCat Affiliat
CERT-EU	8 months ago	CISA, FBI Warn of Continued BlackCat Ransomware Activity \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	US healthcare alerted against BlackCat amid targeted attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CISA	10 months ago	#StopRansomware: ALPHV Blackcat \| CISA
DARKReading	10 months ago	Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback
MITRE	10 months ago	BlackCat ransomware attacks not merely a byproduct of bad luck
MITRE	10 months ago	PART 3: How I Met Your Beacon - Brute Ratel - MDSec
MITRE	10 months ago	When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
MITRE	10 months ago	Brute Ratel C4
MITRE	10 months ago	Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
MITRE	10 months ago	Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground \| SANS
CERT-EU	a year ago	Identification and Disruption of QakBot Infrastructure - KizzMyAnthia.com
Recorded Future	a year ago	From Direct to Distant: The Challenge of Third and Fourth-Party Digital Risk Management
BankInfoSecurity	a year ago	Cybercrime Tremors: Experts Forecast Qakbot Resurgence
CISA	a year ago	Identification and Disruption of QakBot Infrastructure \| CISA
Securityaffairs	a year ago	Experts warn of OSS supply chain attacks on the banking sector