SYMBOLCOMMON_NAMEaka. SYNONYMS
win.brute_ratel_c4 (Back to overview)

Brute Ratel C4

aka: BruteRatel

Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary Simulation

SMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.
Built-in debugger to detect EDR userland hooks.
Ability to keep memory artifacts hidden from EDRs and AV.
Direct Windows SYS calls on the fly.

References
2023-09-27Cyber GeeksVlad Pasca
A Deep Dive into Brute Ratel C4 payloads – Part 2
Brute Ratel C4
2023-09-22MandiantDan Black, Josh Atkins, Luke Jenkins
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-08-31Cyber GeeksCyberMasterV
A Deep Dive into Brute Ratel C4 Payloads
Brute Ratel C4
2023-08-07Recorded FutureInsikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2023-04-28Twitter (@MichalKoczwara)Michael Koczwara
Tweet on hunting BRC4 infrastructure
Brute Ratel C4
2023-03-06ProtectedMo.deBoymoder RE
Brute Ratel - Scandinavian Defence
Brute Ratel C4
2023-02-23Andrea Fortuna's BlogAndrea Fortuna
How to detect Brute Ratel activities
Brute Ratel C4
2023-02-15YoroiCarmelo Ragusa, Luigi Martire
Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Brute Ratel C4
2023-01-29Dark VortexParanoid Ninja
Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
Brute Ratel C4
2023-01-26Dark VortexParanoid Ninja
Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing
Brute Ratel C4
2022-10-25Medium walmartglobaltechJason Reaves
Brute Ratel Config Decoding update
Brute Ratel C4
2022-10-12Twitter (@embee_research)Embee_research, Huntress Labs
Tweets on detection of Brute Ratel via API Hashes
Brute Ratel C4
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-10-04splunkSplunk Threat Research Team
Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis
Brute Ratel C4
2022-09-01Medium michaelkoczwaraMichael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-03MDSecDominic Chell
PART 3: How I Met Your Beacon – Brute Ratel
Brute Ratel C4
2022-07-09spookysecRonnie
Analyzing a Brute Ratel Badger
Brute Ratel C4
2022-07-07SOCRadarSOCRadar
Brute Ratel Utilized By Threat Actors In New Ransomware Operations
Brute Ratel C4
2022-07-06YouTube (IppSec)IppSec
Reversing Malware How is APT 29 Successful w/ this Phishing Tech and BRc4 (Brute Ratel) opsec fails?
Brute Ratel C4
2022-07-05Mike Harbison
When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
Brute Ratel C4
2021-06-01Dark VortexDark Vortex
PE Reflection: The King is Dead, Long Live the King
Brute Ratel C4
Yara Rules
[TLP:WHITE] win_brute_ratel_c4_w0 (20221012 | No description)
rule win_brute_ratel_c4_w0 {
	//Looks for API hashes present in Brute Ratel Badger Payloads. 
	meta:
		author = "Embee_Research @ Huntress"
		vendor = "Huntress"
		created = "2022/10/12"
		source = "https://raw.githubusercontent.com/embee-research/Yara/main/BruteSyscalls.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4"
        malpedia_rule_date = "20221012"
        malpedia_hash = ""
        malpedia_version = "20221012"
        malpedia_sharing = "TLP:WHITE"
	strings:
		
		$hash1 = {89 4d 39 8c} //NtProtectVirtualMemory
		$hash2 = {bd ca 3b d3} //NtAllocateVirtualMemory
		$hash3 = {b2 c1 06 ae} //NtWaitForSingleObject
		$hash4 = {74 eb 1d 4d} //NtCreateThreadEx
	
	condition:
		//0x5a4d == regular pe/dll
		//0x00e8 == start of Brute shellcode 
		(2 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8)
}
Download all Yara Rules