Brute Ratel

Malware Profile Updated a month ago
Download STIX
Preview STIX
Brute Ratel is a sophisticated malware variant that has been used in a series of cyber attacks targeting diplomatic staff and other sensitive targets. It's delivered through custom loaders embedded in lure documents, which are designed to trick the recipient into triggering the infection process. Once installed, Brute Ratel works alongside other malicious tools such as Cobalt Strike to establish beacons for command and control servers, allowing attackers to remotely control infected systems. This malware also leverages the SharpHound utility to generate JSON files that describe various aspects of the victim's network infrastructure, including Active Directory Organisational Units, Group Policies, Domains, User Groups, Computers, and Users. The ALPHV Blackcat affiliates have claimed to use both Brute Ratel C4 and Cobalt Strike as part of their arsenal. These groups also employ an open-source adversary-in-the-middle (AitM) attack framework called Evilginx2, enabling them to capture multifactor authentication (MFA) credentials, login details, and session cookies from targeted systems. The combination of these tools provides the attackers with robust capabilities for infiltrating and controlling compromised networks, while also bypassing common security measures. In addition to its use by ALPHV Blackcat, Brute Ratel has been adopted by Qakbot-affiliated actors, who have increasingly utilized it as a vehicle for deploying other types of malware. Notably, this includes a range of ransomware strains, further enhancing the threat posed by Brute Ratel-infected systems. In one reported case, attackers installed the Brute Ratel binary as a Windows service named 'wewe' on an affected machine, demonstrating the malware's ability to maintain persistence within compromised environments.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
DarkComet
1
DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es
Brc4
1
Brc4 is a malicious software (malware) associated with Brute Ratel C4, the latest red-teaming and adversarial attack simulation tool available on the market. The malware can infiltrate your system via suspicious downloads, emails, or websites, often without your knowledge. Once inside, it can steal
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Malware
Ransomware
Windows
Payload
Exploit
Apt
Implant
Spearphishing
Reconnaissance
Eset
AITM
Github
Downloader
Backdoor
Facebook
Antivirus
Cybercrime
Youtube
Beacon
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Black BastaUnspecified
5
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
QakBotUnspecified
5
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
PlugXUnspecified
2
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
QbotUnspecified
2
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
ContiUnspecified
2
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
svchost.exeUnspecified
1
Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di
PikabotUnspecified
1
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
SystembcUnspecified
1
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
IcedIDUnspecified
1
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
Havoc FrameworkUnspecified
1
The Havoc Framework is a potent malware tool, designed for advanced post-exploitation command and control operations. It's been identified as the attacker's tool of choice during the second stage of a recent major cyber attack. This open-source framework is capable of bypassing even the most updated
Brc4 v1.0.xUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
The DukesUnspecified
2
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and several other aliases, is a highly active threat actor group widely believed to be associated with the Russian Foreign Intelligence Service (SVR). The group has been operational since at least 2008, targeting various governments, thin
SandwormUnspecified
2
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
AlphvUnspecified
2
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
RedhotelUnspecified
1
RedHotel, also known as Aquatic Panda, ControlX, and Bronze University, is a threat actor linked to Chinese state-sponsored cyber groups. It is part of a sophisticated network of espionage operations including RedAlpha, Poison Carp, and i-SOON, which are primarily involved in the theft of telecommun
WinntiUnspecified
1
Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Brute Ratel Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a month ago
Russia-linked APT Nobelium targets French diplomatic entities
CERT-EU
5 months ago
ALPHV Blackcat, GCP-Native Attacks, Bandook RAT, NoaBot Miner, Ivanti Secure Vulnerabilities, and More: Hacker’s Playbook Threat Coverage Round-up: February 2024
CERT-EU
5 months ago
US Government Warns Healthcare is Biggest Target for BlackCat Affiliat
CERT-EU
5 months ago
CISA, FBI Warn of Continued BlackCat Ransomware Activity | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
US healthcare alerted against BlackCat amid targeted attacks | #ransomware | #cybercrime | National Cyber Security Consulting
CISA
7 months ago
#StopRansomware: ALPHV Blackcat | CISA
DARKReading
7 months ago
Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback
MITRE
7 months ago
BlackCat ransomware attacks not merely a byproduct of bad luck
MITRE
7 months ago
PART 3: How I Met Your Beacon - Brute Ratel - MDSec
MITRE
7 months ago
When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
MITRE
7 months ago
Brute Ratel C4
MITRE
7 months ago
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
MITRE
7 months ago
Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground | SANS
CERT-EU
10 months ago
Identification and Disruption of QakBot Infrastructure - KizzMyAnthia.com
Recorded Future
a year ago
From Direct to Distant: The Challenge of Third and Fourth-Party Digital Risk Management
BankInfoSecurity
a year ago
Cybercrime Tremors: Experts Forecast Qakbot Resurgence
CISA
a year ago
Identification and Disruption of QakBot Infrastructure | CISA
Securityaffairs
a year ago
Experts warn of OSS supply chain attacks on the banking sector
Trend Micro
a year ago
3 Shifts in the Cyber Threat Landscape
DARKReading
a year ago
Exfiltrator-22 Post-Exploitation Toolkit Nips At Cobalt Strike's Heels