Brute Ratel

Malware updated 11 hours ago (2024-11-20T18:05:34.536Z)
Download STIX
Preview STIX
Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. Various samples of this malware have been identified and analyzed to understand its structure and functioning better. Over time, many hosting providers have ceased support due to stricter no-malware policies, but the malware continues to evolve and find new ways to infiltrate systems. The malware came into the spotlight again on October 30, 2024, when EclecticIQ reported a campaign by LUNAR SPIDER that used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. The malicious files were also found to be delivering multiple payloads including Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). A certificate was used to sign a dynamic-link library DLL that loaded the offensive security tool known as Brute Ratel C4. Attackers have been using lure documents to target diplomatic staff, attempting to deliver their custom loaders to drop public post-exploitation tools such as Cobalt Strike or Brute Ratel C4. Additionally, the SharpHound utility is run via Brute Ratel in an injected svchost.exe process to output JSON files that are ingested into BloodHound. ALPHV Blackcat affiliates have claimed to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. These tools provide “beacons” to command and control servers, while open-source adversary-in-the-middle (AitM) attack framework Evilginx2 enables them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies.
Description last updated: 2024-11-15T16:06:06.656Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Brc4 is a possible alias for Brute Ratel. BRc4 is a malware associated with Brute Ratel C4, a new red-teaming and adversarial attack simulation tool. The malware operates by modifying the Windows registry to ensure persistence across reboots, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Ransomware
Malware
Payload
Windows
Exploit
Implant
Apt
Spearphishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Black Basta Malware is associated with Brute Ratel. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
5
The QakBot Malware is associated with Brute Ratel. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
5
The Qbot Malware is associated with Brute Ratel. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
2
The Conti Malware is associated with Brute Ratel. Conti is a type of malware, specifically ransomware, that was designed to infiltrate computer systems, disrupt operations, and potentially hold data hostage for ransom. It has been linked to various ransomware groups such as Quantum, MountLocker, and the notorious Conti ransomware gang. The softwareUnspecified
2
The PlugX Malware is associated with Brute Ratel. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Brute Ratel. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
2
The The Dukes Threat Actor is associated with Brute Ratel. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in SeUnspecified
2
The Sandworm Threat Actor is associated with Brute Ratel. Sandworm, a threat actor believed to be linked to Russia, has been identified as one of the most active groups supporting Russian military activities in Ukraine. Notorious for its sophisticated cyber-attacks, Sandworm has compromised 11 Ukrainian telecommunications providers, significantly disruptinUnspecified
2
Source Document References
Information about the Brute Ratel Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Contagio
6 days ago
InfoSecurity-magazine
3 months ago
DARKReading
a year ago
Securityaffairs
5 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CISA
a year ago
DARKReading
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
CERT-EU
a year ago
Recorded Future
a year ago
BankInfoSecurity
a year ago
CISA
a year ago