Security News > 2022 > July > Hackers Abusing BRc4 Red Team Penetration Tool in Attacks to Evade Detection

Malicious actors have been observed abusing legitimate adversary simulation software in their attacks in an attempt to stay under the radar and evade detection.

Palo Alto Networks Unit 42 said a malware sample uploaded to the VirusTotal database on May 19, 2022, contained a payload associated with Brute Ratel C4, a relatively new sophisticated toolkit "Designed to avoid detection by endpoint detection and response and antivirus capabilities."

BRc4 is equipped with a wide variety of features, such as process injection, automating adversary TTPs, capturing screenshots, uploading and downloading files, support for multiple command-and-control channels, and the ability to keep memory artifacts concealed from anti-malware engines, among others.

The artifact, which was uploaded from Sri Lanka, masquerades as a curriculum vitae of an individual named Roshan Bandara but in reality is an optical disc image file that, when double-clicked, mounts it as a Windows drive containing a seemingly harmless Word document that, upon launching, installs BRc4 on the user's machine and establishes communications with a remote server.

The investigation has since unearthed seven more BRc4 samples dating back to February 2021.

"Yet more alarming is the effectiveness of BRc4 at defeating modern defensive EDR and AV detection capabilities."

News URL

https://thehackernews.com/2022/07/hackers-abusing-brc4-red-team.html