Security News > 2022 > July > Ransomware gangs, APT groups ditch Cobalt Strike for Brute Ratel

Ransomware gangs, APT groups ditch Cobalt Strike for Brute Ratel
2022-07-06 17:32

APT hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions.

In 2020, Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike, released Brute Ratel Command and Control Center as an alternative to Cobalt Strike for red team penetration testing engagements.

Like Cobalt Strike, Brute Ratel is an adversarial attack simulation tool that allows red teamers to deploy 'Badgers' on remote hosts.

In a new report by Palo Alto Unit 42, researchers have spotted threat actors moving away from Cobalt Strike to using Brute Ratel as their post-exploitation toolkit of choice.

Once the Brute Ratel badger is loaded, the threat actors can remotely access the compromised device to execute commands and spread further in the now-breached network.

"In one particular case, they have gained access to the Brute Ratel kit that was used for post-exploitation in targeted attacks from BumbleBee loader. The ultimate goal of the Brute Ratel usage was post-exploitation framework for lateral movement and subsequent network encryption via ransomware payload.".


News URL

https://www.bleepingcomputer.com/news/security/ransomware-gangs-apt-groups-ditch-cobalt-strike-for-brute-ratel/