Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel

逆向病毒分析 2年前 (2023) admin
337 0 0

 

Introduction

Red team operations are fundamental for achieving an adequate cybersecurity maturity level. So, many different C2 commercial frameworks were born to provide help in managing security tests. However, these technologies can be used at the same time even by attackers to make cyber intrusions.

One of the most emblematic examples of this phenomenon is “Brute Ratel”, a commercial Red Team Operations framework developed by Chetan Nayak, an expert red teamer, formerly both in Mandiant and Crowdstrike, which, starting from the past year, has been used by attackers both in cybercrime and APT operations.

This Red Team framework is designed to be capable of being highly evasive and undetectable by security products, as demonstrated also by many shellcodes we intercepted through hunting activities with zero detection rate on VirusTotal platform.

For these reasons, the reconstruction of the abuse of that tool is a necessary step in order to provide technical insights for the cybersecurity community.

Reconstructing the abuse of Brute Ratel

The first time when the Cybersecurity Community started to face-off the abuse of Brute Ratel was between May and June 2022. The observed attack involved a ISO file, used to compress the files and reduce the detection rate, because this type of file isn’t easily detected by security protections. The content of the archive is a LNK file used to perform DLL sideloading of the malicious “version.dll” library, a necessary dependency of the legit Microsoft’s executable “OneDriveUpdtater.exe”.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 1: Content of the ISO image

This campaign has been deeply analyzed by Unit42 of PaloAlto, and attributing the threat to Nobellium, AKA APT29. However, this campaign was important because it was the first documented one maliciously leveraging Brute Ratel Framework.

On 13 September an archive containing a leaked version of Bruteratel 1.2.2 named “BruteRatel_1.2.2.Scandinavian_Defense.tar.gz” was uploaded on VirusTotal and in the next days shared among the cyber criminals on underground forums and popular Telegram channels. This was a very good starting point to take a closer look, but the leak didn’t have a valid license, making the application not working.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 2: Testing the Brute Ratel Leak

Nevertheless, this hasn’t stopped the criminals, who we believe reversed the license related routines to develop a crack aimed at bypassing the usage restrictions of the product. In fact, the following days a manumitted version of the framework appeared, with the addition of a license file named “.brauth”, which made the tool work.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 3: Evidence of the cracked version of brute ratel

Thus, we decided to test even this version, and it worked.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 4: Cracked Version of Brute Ratel Working

After that, this cracked version started to be spread on many different forums and private hacking groups. So, threat actors started to adopt this framework during their human operated cyber intrusions, replacing or alongside CobaltStrike, which nowadays remains the landmark for this type of malicious operations.

Technical Insights

The malicious code is contained inside the exported function main, the sample iterates the PEB to find ntdll.dll and dynamically resolve the APIs. The API Hashing is one of the most trending techniques adopted by malware writers: in this way, they can obfuscate the calling of the most critical API calls to perform, making the analyses harder. In this case (4766553ce5ff67a2e28b1ee1b5322e005b85b26e21230ffba9622e7c83ed0917), the algorithm used to perform the hashing operation is ROR13.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 5: Resolving the hashed APIs

After resolving the functions, the badger starts an anti-analysis phase, where it tries to evade when an analyst reverses the payload.

The first technique is an anti-debug trick to evade when the analyst tries to insert some breakpoints on the API function to be resolved. In this case, the control is performed by retrieving the address of the API call to resolve, and check whether it is overwritten with the 0xCC opcode, which is the code of the software breakpoint in assembly language.

A second technique is an anti-hooking trick aimed at checking if the call is long 20bytes and the last 3 bytes are 0x0F, 0x05 and 0xC3, which are the machine code for the operations “syscall” and “ret”. In this way, the control allows the malware to identify any tampering inside the API calls to be used: in fact, many EDRs and security appliance adopt hooking techniques to intercept the code and identify malicious behaviour.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 6: Anti-Analysis and Anti-hooking techniques

A detail of the called syscall not tampered by any security control is the following:

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 7: Evidence of a not tampered syscall

After those controls, the badger can extract its shellcode contained inside the “.data” section in a new memory section and it is executed with a syscall to NtCreateThreadEx.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 8: Shellcode execution through syscall

At this point, the shellcode is able to allocate in memory a PE file, but with the header missing, which is the final payload.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 9: Loaded badger shellcode without MZ header

A view of the badger strings inside the just loaded code is the following:

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 10: Strings of the badger

The last decoding routine of the payload is to retrieve the configuration of the badger. It uses the RC4 algorithm to encrypt this information and it decodes that at runtime; in this case the key is the hardcoded string “mnan#:<(

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 11: RC4 algorithm for the configuration decryption

An example of the configuration of the decrypted configuration of a badger of Brute Ratel is the following:

0|1|40|||||||0|1|[IP (Redacted)]|443|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36|VNIGBM11JPMHF40J|DQMVLBS4H9FCUAMO|/content.php,/admin.php,/login.php||6df589ac0c3c884c54f419a437406ac8bf3ab400685a108bd50542bc67704831

Threat Hunting

Upon the release of the leaked version, we decided to track the malicious campaigns leveraging this pentesting framework in order to identify how many actors are using it to do malicious cyber-attacks. It was surprising to observe that some of these samples we are able to track with the Yara rule provided at the end of the blogpost are fully undetected by the antimalware and VirusTotal give dame also zero detection rate. So, it indicates that the effort to make this tool as optimal to simulate an adversary.

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
Figure 12: Detection rate of a file uploaded on VT which is a Brute Ratel

So, it was interesting to notice that, at time of writing, there are three low detection rate sample we found through our signatures.

0 detection:

  • 17decce71404a0ad4b402d030cb91c6fd5bca45271f8bf19e796757e85f70e48
  • Fdeb6a6aaee94fe204fb986f6d78e64a9086c5f64e315d8c5e90b590f0007af8

3 detections:

  • 5f4782a34368bb661f413f33e2d1fb9f237b7f9637f2c0c21dc752316b02350c

Conclusion

Threat hunting is a proactive approach to identifying and tracking security threats. It involves actively searching for and analyzing potential security breaches or anomalies in an organization’s systems and networks. The job of proactively hunting for threats helps organizations to minimize the risk of cyber intrusion and minimize the damage caused by such an attack. In addition, threat hunting enables organizations to continuously monitor and improve their security posture, helping to stay ahead of the evolving threat landscape.

The example of the abuse of Brute Ratel framework is emblematic to understand that the continuous improvement of Threat Intelligence and Hunting capabilities are fundamental for the growth of the cyber security measures of the company, guaranteeing a best practice to the early detection of the cyber threats.

Indicators of Compromise

  • Hashes retrieved from threat hunting operations:
    • 025ef5e92fecf3fa118bd96ad3aff3f88e2629594c6a7a274b703009619245b6
    • 086dc27a896e154adf94e8c04b538fc146623b224d62bf019224830e39f4d51d
    • 17decce71404a0ad4b402d030cb91c6fd5bca45271f8bf19e796757e85f70e48
    • 17e4989ff7585915ec4342cbaf2c8a06f5518d7ba0022fd1d97b971c511f9bde
    • 200955354545ef1309eb6d9ec65a917b08479f28362e7c42a718ebe8431bb15d
    • 221e81540e290017c45414a728783cb62f79d9f63f2547490ec2792381600232
    • 25e7a8da631f3a5dfeec99ca038b3b480658add98719ee853633422a3a40247d
    • 28a4e9f569fd5223bffe355e685ee137281e0e86cae3cc1e3267db4c7b2f3bcd
    • 2ddc77de26637a6d759e5b080864851b731fdb11075485980ece20d8f197104c
    • 31fe821e4fac6380701428e01f5c39c6f316b6b58faff239d8432e821a79d151
    • 331952c93954bd263747243a0395441d0fae2b6d5b8ceb19f3ddb786b83f0731
    • 34c1d162bf17cdb41c2c5d220b66202a85f5338b15019e26dcab1a81f12fc451
    • 38b3b10f2ddeecda0db029dacc6363275c4cdf18cc62be3cc57b79647d517a44
    • 3a946cba2ba38a2c6158fa50beee20d2d75d595acc27ea51a39a37c121082596
    • 3baace2a575083a7031af7e9e13ff8ed46659f0b25ce54abe73db844acfad11a
    • 3f63fbc43fc44e6bf9c363e8c17164aeb05a515229e2111a2371d4321dcde787
    • 4766553ce5ff67a2e28b1ee1b5322e005b85b26e21230ffba9622e7c83ed0917
    • 4e5d89844135dca1d9899a8eedfbabc09bcb0fb5c5c14c29f7df5a58d7cf16d4
    • 4f88738e04447344100bb9532c239032b86e71d8037ccb121e2959f37fff53cf
    • 54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d
    • 56ced937d0b868a2005692850cea467375778a147288ac404748c2dea9c17277
    • 5f4782a34368bb661f413f33e2d1fb9f237b7f9637f2c0c21dc752316b02350c
    • 6021d5500fdea0664a91bdd85b98657817083ece6e2975362791c603d7a197c7
    • 62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967
    • 62e88163b51387b160e9c7ea1d74f0f80c52fc32c997aa595d53cbc2c3b6caf4
    • 64a95de2783a97160bac6914ee07a42cdd154a0e33abc3b1b62c7bafdce24c0c
    • 6a85451644a2c6510d23a1ab5610c85a38107b3b3a00238f7b93e2ce6d1ba549
    • 6ade03a82d8bb884cae26c6db31cf539bec66861fc689cf1c752073fb79740c5
    • 6fdd81e31f2bec2bdda594974068a69e911219d811c8de4466d7a059dd3183a3
    • 74c00f303b87b23dffb59718187ff95c9d4d8497c61a64501166ac5dbed84b9f
    • 7757a76ca945f33f3220ad2b2aa897f3e63c47f08e1b7d62d502937ba90360a7
    • 7824197ad3b9c0981a1cdabf82940ac7733d232442bd31d195783a4e731845d2
    • 79e232b2a08a2960a493e74ab7cba3e82c8167acc030a5ca8d080d0027a587fe
    • 7fe1ff03e8f5678d280f7fd459a36444b6d816b2031e37867e4e36b689eccd33
    • 83b336deca35441fa745cd80a7df7448ce24c09dd2a36569332ae0e4771f36a6
    • 88249de22cefaf15f7c45b155703980fb09eb8e06b852f9d4a7c82126776ee7e
    • 8b8f7e8030e2ba234a33bc8a2fa3ccb5912029d660e03ed40413d949142b98fe
    • 8d979a1627dea58e9b86f393338df6aabfd762937e25e39f1d325fce06cf5338
    • 8dd3faf0248890e8c3efb40b800f892989204ba3125986690669f0a914f26c5d
    • 9521f51e42b8e31d82b06de6e15dbf9a1fa1bbff62cf6bc68c0b9e8fd1f8b2c5
    • 97a00056c459a7ce38ad8029413bf8f1691d4ae81e90f0d346d54c91dd02a511
    • 991f883556357a3b961c31e2b72f6246b52b27a5c45b72914abc61c5b5960cc3
    • 9f06583bd4b8c4aefc470ef582ff685cd3d03b404e67ce8bf9dbbd5828c90c43
    • a0c3da2ebf94f6671537a80d26b3288f8fcdf845fe2780ef81fd9da48c0162bf
    • a8759ef55fed4a9410cc152df9ef330a95f776619901054715ed4721a414d15c
    • a8cc14bd56aa4a2da40717cb3f11ecb6aff4e0797a9cebcff51461db19eaf580
    • ae38ec0ddc58424bf6de8858c82c4c6902fc947604943d58d8cbca00991c7f7d
    • aeb82788aad8bdee4c905559c4636536fb54c40fdc77b27ba4308b6a0f24bedf
    • bdd028922220ff92acb8530c894e2705743a968a8159fe955c1057736c7e1ebd
    • c3cc43492d005b25fc2cc66f82a550420bb4c48b5aae0a77f1ccef0603a3e47c
    • c4f40e2eb029ef11be4ac43ccc6895af6fb6dabd3a5bcc02f29afb9553da625c
    • c6aa2c54eee52f99a911dadfbf155372bd9f43fb9f923500b0b374799204d7a3
    • c6e2562a2ae399a851b0e5bfb92011e9f97ab45fa536a61eb89b3aee062461f7
    • ca2b9a0fe3992477d4c87a6e2a75faaac9ea0f3828d054cb44371b3068b76ba5
    • cdc5e05843cf1904e145dad3ae6c058b92b1bc3cbffffc217884b7cc382172a1
    • cee890a9e7ab521125372c13b71fc154ef5332d333fe43798303b198e9314dcd
    • d90beab9a3986c26922e4107dccb0b725b8b0eea398f2aeb8848cbe25c3becee
    • db987749ef4a58c6a592a33221770d23adcb2efce4a5504aabc73d61cd356616
    • dc9757c9aa3aff76d86f9f23a3d20a817e48ca3d7294307cc67477177af5c0d4
    • dcb986e45f1cf38794acec5e7f576a8dff6fbec66e6a09e3cc92596c796ad0d3
    • e400a196e7128a3cf40085629db8f26b73b6980be7df3da60928a4a062bc85cb
    • e491d06e3a556c79e922274af04c1786a957775ba2d5d0b02d13bdee91bf5ce4
    • ea6d9ff8f768fc0132f9f543d9546744d04f9f83e2241950f63f60b520b9ece0
    • ead189bb18ee839db3d221701e208c4d2845c232cec66764bb3ea6c688ca18e8
    • ee035537c3b8fc54ca2e1fa98c18e2fb0e203d863005c878bc8ceaa690a6689f
    • ee53521e7d8b2b05fef77877440738ee169f3b75228931f9aaf96621a2f64c25
    • eef36bc6f208abd46541bac1b1de18bb3a69057b1a54e67d71d259cc0f1bef5b
    • f59fe0945f97df4e3d2efc9b31d00602fc5a16e05453e0d853e275cadb63a057
    • f875e68899afe172394176fa9cabededeaa19ad6816a90746bb630c064c69e6a
    • fdeb6a6aaee94fe204fb986f6d78e64a9086c5f64e315d8c5e90b590f0007af8

Yara Rules


rule brute_ratel
{
    meta:
        author = "Yoroi Malware ZLab"
        description = "Rule for BruteRatel Badger"
        last_updated = "2023-02-15"
        tlp = "WHITE"
        category = "informational"

    strings:
        $1 = {8079ffcc74584585c075044883e920448a094180f9e9740a448a41034180f8e97507ffc24531c0ebd731c04180f94c752f8079018b7529807902d175214180f8b8751b8079060075170fb64105c1e0084189c00fb641044409c001d0eb0231c0c3} // Checks Breakpoint (DLL)
        $2 = {565389d34883ec2885db74644889cee8????????31c9ba????????4989c0e8????????448d430165488b142530000000488b5260488b4a30ba08000000ffd04885f6741c4885c0742731d20f1f4400000fb60c16880c104883c2014839d375f04883c4285b5ec3} // Shellcode
    condition:
        (uint16(0) == 0x5A4D or uint16(0) == 0x00E8 or uint16(0) == 0x8348) and ($1 or $2)
}

This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB

 

版权声明:admin 发表于 2023年2月17日 上午9:47。
转载请注明:Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...