Security News > 2022 > July > Threat actors exchange beacons for badgers to evade endpoint security

Unidentified cyber threat actors have started using Brute Ratel C4, an adversary simulation tool similar to Cobalt Strike, to try to avoid detection by endpoint security solutions and gain a foothold on target networks, Palo Alto Networks researchers have found.

Their line of attack is apparently successful, as one of the files delivering the Brute Ratel C4 "Badger" - a payload for remote access similar to Cobalt Strike's Beacon - has initially not been flagged as malicious by security tools leveraged by VirusTotal.

The first file the researchers analyzed was an ISO file pretending to contain a CV and was uploaded to VirusTotal on May 19, 2022, from Sri Lanka.

"The modification decrypts the file and in-memory loads the first stage of shellcode. To maintain code capabilities, the actors use DLL API proxying to forward requests to the legitimate version.dll named vresion.dll. Vresion.dll is a dependency file of the actor's version.dll and will be loaded with the actor's version.dll," researchers Mike Harbison and Peter Renals explained.

All the files except the LNK one are hidden from the users' view, as is the final delivery of the Brute Ratel C4 "Badger" payload. The researchers found another similar malicious file uploaded to VirusTotal, named badger x64.

"Brute Ratel is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response and antivirus capabilities," the researchers noted, and urged security vendors to create protections to detect activity from this tool and organizations to take proactive measures to defend against it.

News URL

https://www.helpnetsecurity.com/2022/07/07/brute-ratel-avoid-detection/