Brute Ratel

Malware updated a month ago (2024-09-04T17:17:42.280Z)
Download STIX
Preview STIX
Brute Ratel is a malicious software (malware) that has been increasingly used by cyber threat actors to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, Brute Ratel can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware is known to deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). Additionally, it has been utilized to sign a dynamic-link library DLL that loads the offensive security tool known as Brute Ratel C4. Cyber attackers have been observed using forged lure documents to target diplomatic staff, attempting to deliver their custom loaders to drop public post-exploitation tools such as Cobalt Strike or Brute Ratel C4. In one instance, the SharpHound utility was run via Brute Ratel in an injected svchost.exe process to output JSON files that were ingested into BloodHound, describing various aspects of the Active Directory Organisational Units, Group Policies, Domains, User Groups, Computers, and Users. The ALPHV Blackcat affiliates have claimed to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. These tools provide "beacons" to these servers, while the open-source adversary-in-the-middle (AitM) attack framework Evilginx2 enables them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. Qakbot-affiliated actors have also been noted to increasingly use Brute Ratel as a vehicle to drop other malware, most notably Cobalt Strike, Brute Ratel, and a slew of ransomware.
Description last updated: 2024-09-04T17:15:44.390Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Ransomware
Malware
Exploit
Windows
Implant
Apt
Payload
Spearphishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The QakBot Malware is associated with Brute Ratel. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includinUnspecified
5
The Black Basta Malware is associated with Brute Ratel. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vulUnspecified
5
The PlugX Malware is associated with Brute Ratel. PlugX is a malicious software (malware) known for its stealthy operations. It has been linked to several cyberattacks, and its use has been attributed to various threat groups, including Winnti and MustangPanda. The malware leverages DLL side-loading to remain undetected, making it a potent tool in Unspecified
2
The Conti Malware is associated with Brute Ratel. Conti is a type of malware, specifically a ransomware, that infiltrates computer systems to exploit and damage them. It was commonly used in cyberattacks by ITG23, a cybercriminal group which also used other malware like Trickbot and BazarLoader. The Conti ransomware was known for its sophisticated Unspecified
2
The Qbot Malware is associated with Brute Ratel. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Brute Ratel. AlphV, also known as BlackCat, is a notable threat actor that has been operational since November 2021. This group has pioneered the public leaks business model in the realm of ransomware attacks and has been associated with significant cybercrimes. It is particularly infamous for its attack on MorrUnspecified
2
The The Dukes Threat Actor is associated with Brute Ratel. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and Nobelium, is a threat actor widely believed to be linked to the Russian government. The group has been active since at least 2008, conducting cyber espionage operations against various governments, think tanks, diplomatic entities, anUnspecified
2
The Sandworm Threat Actor is associated with Brute Ratel. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
2
Source Document References
Information about the Brute Ratel Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a month ago
DARKReading
a year ago
Securityaffairs
4 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CISA
10 months ago
DARKReading
10 months ago
MITRE
10 months ago
MITRE
10 months ago
MITRE
10 months ago
MITRE
10 months ago
MITRE
10 months ago
MITRE
10 months ago
CERT-EU
a year ago
Recorded Future
a year ago
BankInfoSecurity
a year ago
CISA
a year ago
Securityaffairs
a year ago