SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brute_ratel_c4 (Back to overview)

Brute Ratel C4

aka: BruteRatel

Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary Simulation

SMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
Built-in debugger to detect EDR userland hooks.
Ability to keep memory artifacts hidden from EDRs and AV.
Direct Windows SYS calls on the fly.

References
2023-09-27Cyber GeeksVlad Pasca
@online{pasca:20230927:deep:2958d5b, author = {Vlad Pasca}, title = {{A Deep Dive into Brute Ratel C4 payloads – Part 2}}, date = {2023-09-27}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/}, language = {English}, urldate = {2023-09-29} } A Deep Dive into Brute Ratel C4 payloads – Part 2
Brute Ratel C4
2023-09-22MandiantLuke Jenkins, Josh Atkins, Dan Black
@online{jenkins:20230922:backchannel:6da10a8, author = {Luke Jenkins and Josh Atkins and Dan Black}, title = {{Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations}}, date = {2023-09-22}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing}, language = {English}, urldate = {2023-10-18} } Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-08-31Cyber GeeksCyberMasterV
@online{cybermasterv:20230831:deep:94c25e1, author = {CyberMasterV}, title = {{A Deep Dive into Brute Ratel C4 Payloads}}, date = {2023-08-31}, organization = {Cyber Geeks}, url = {https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/}, language = {English}, urldate = {2023-09-04} } A Deep Dive into Brute Ratel C4 Payloads
Brute Ratel C4
2023-08-07Recorded FutureInsikt Group
@techreport{group:20230807:redhotel:ee4dd20, author = {Insikt Group}, title = {{RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale}}, date = {2023-08-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf}, language = {English}, urldate = {2023-08-09} } RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2023-04-28Twitter (@MichalKoczwara)Michael Koczwara
@online{koczwara:20230428:hunting:8290d1c, author = {Michael Koczwara}, title = {{Tweet on hunting BRC4 infrastructure}}, date = {2023-04-28}, organization = {Twitter (@MichalKoczwara)}, url = {https://twitter.com/MichalKoczwara/status/1652067563545800705}, language = {English}, urldate = {2023-05-25} } Tweet on hunting BRC4 infrastructure
Brute Ratel C4
2023-03-06ProtectedMo.deBoymoder RE
@online{re:20230306:brute:ad7d790, author = {Boymoder RE}, title = {{Brute Ratel - Scandinavian Defence}}, date = {2023-03-06}, organization = {ProtectedMo.de}, url = {https://protectedmo.de/brute.html}, language = {English}, urldate = {2023-03-20} } Brute Ratel - Scandinavian Defence
Brute Ratel C4
2023-02-23Andrea Fortuna's BlogAndrea Fortuna
@online{fortuna:20230223:how:5b24b34, author = {Andrea Fortuna}, title = {{How to detect Brute Ratel activities}}, date = {2023-02-23}, organization = {Andrea Fortuna's Blog}, url = {https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities}, language = {English}, urldate = {2023-05-10} } How to detect Brute Ratel activities
Brute Ratel C4
2023-02-15YoroiLuigi Martire, Carmelo Ragusa
@online{martire:20230215:hunting:eb09f70, author = {Luigi Martire and Carmelo Ragusa}, title = {{Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel}}, date = {2023-02-15}, organization = {Yoroi}, url = {https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/}, language = {English}, urldate = {2023-02-16} } Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Brute Ratel C4
2023-01-29Dark VortexParanoid Ninja
@online{ninja:20230129:hiding:1b59393, author = {Paranoid Ninja}, title = {{Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks}}, date = {2023-01-29}, organization = {Dark Vortex}, url = {https://0xdarkvortex.dev/hiding-in-plainsight/}, language = {English}, urldate = {2023-02-21} } Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
Brute Ratel C4
2023-01-26Dark VortexParanoid Ninja
@online{ninja:20230126:hiding:3ea1a8c, author = {Paranoid Ninja}, title = {{Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing}}, date = {2023-01-26}, organization = {Dark Vortex}, url = {https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/}, language = {English}, urldate = {2023-02-21} } Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing
Brute Ratel C4
2022-10-25Medium walmartglobaltechJason Reaves
@online{reaves:20221025:brute:3e3f821, author = {Jason Reaves}, title = {{Brute Ratel Config Decoding update}}, date = {2022-10-25}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb}, language = {English}, urldate = {2023-01-31} } Brute Ratel Config Decoding update
Brute Ratel C4
2022-10-12Twitter (@embee_research)Embee_research, Huntress Labs
@online{embeeresearch:20221012:tweets:3284cd3, author = {Embee_research and Huntress Labs}, title = {{Tweets on detection of Brute Ratel via API Hashes}}, date = {2022-10-12}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA}, language = {English}, urldate = {2022-11-21} } Tweets on detection of Brute Ratel via API Hashes
Brute Ratel C4
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
@online{kenefick:20221012:black:17505c9, author = {Ian Kenefick and Lucas Silva and Nicole Hernandez}, title = {{Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike}}, date = {2022-10-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html}, language = {English}, urldate = {2023-05-23} } Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-10-04splunkSplunk Threat Research Team
@online{team:20221004:deliver:dba14df, author = {Splunk Threat Research Team}, title = {{Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis}}, date = {2022-10-04}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html}, language = {English}, urldate = {2022-10-06} } Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis
Brute Ratel C4
2022-09-01Medium michaelkoczwaraMichael Koczwara
@online{koczwara:20220901:hunting:45c54de, author = {Michael Koczwara}, title = {{Hunting C2/Adversaries Infrastructure with Shodan and Censys}}, date = {2022-09-01}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f}, language = {English}, urldate = {2023-01-19} } Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-03MDSecDominic Chell
@online{chell:20220803:part:3f8002b, author = {Dominic Chell}, title = {{PART 3: How I Met Your Beacon – Brute Ratel}}, date = {2022-08-03}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/}, language = {English}, urldate = {2022-10-06} } PART 3: How I Met Your Beacon – Brute Ratel
Brute Ratel C4
2022-07-09spookysecRonnie
@online{ronnie:20220709:analyzing:b124529, author = {Ronnie}, title = {{Analyzing a Brute Ratel Badger}}, date = {2022-07-09}, organization = {spookysec}, url = {https://blog.spookysec.net/analyzing-brc4-badgers/}, language = {English}, urldate = {2022-10-06} } Analyzing a Brute Ratel Badger
Brute Ratel C4
2022-07-07SOCRadarSOCRadar
@online{socradar:20220707:brute:fd80023, author = {SOCRadar}, title = {{Brute Ratel Utilized By Threat Actors In New Ransomware Operations}}, date = {2022-07-07}, organization = {SOCRadar}, url = {https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/}, language = {English}, urldate = {2022-10-19} } Brute Ratel Utilized By Threat Actors In New Ransomware Operations
Brute Ratel C4
2022-07-06YouTube (IppSec)IppSec
@online{ippsec:20220706:reversing:542aecd, author = {IppSec}, title = {{Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?}}, date = {2022-07-06}, organization = {YouTube (IppSec)}, url = {https://www.youtube.com/watch?v=a7W6rhkpVSM}, language = {English}, urldate = {2023-03-24} } Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?
Brute Ratel C4
2022-07-05Mike Harbison
@online{harbison:20220705:when:7a1f44b, author = {Mike Harbison}, title = {{When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors}}, date = {2022-07-05}, url = {https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/}, language = {English}, urldate = {2022-07-13} } When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
Brute Ratel C4
2021-06-01Dark VortexDark Vortex
@online{vortex:20210601:pe:b2ecdbc, author = {Dark Vortex}, title = {{PE Reflection: The King is Dead, Long Live the King}}, date = {2021-06-01}, organization = {Dark Vortex}, url = {https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/}, language = {English}, urldate = {2023-04-28} } PE Reflection: The King is Dead, Long Live the King
Brute Ratel C4
Yara Rules
[TLP:WHITE] win_brute_ratel_c4_w0 (20221012 | No description)
rule win_brute_ratel_c4_w0 {
	//Looks for API hashes present in Brute Ratel Badger Payloads. 
	meta:
		author = "Embee_Research @ Huntress"
		vendor = "Huntress"
		created = "2022/10/12"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/BruteSyscalls.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		$hash1 = {89 4d 39 8c} //NtProtectVirtualMemory
		$hash2 = {bd ca 3b d3} //NtAllocateVirtualMemory
		$hash3 = {b2 c1 06 ae} //NtWaitForSingleObject
		$hash4 = {74 eb 1d 4d} //NtCreateThreadEx
	
	condition:
		//0x5a4d == regular pe/dll
		//0x00e8 == start of Brute shellcode 
		(2 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8)
}
Download all Yara Rules