Threat Research

A Deep Dive into Brute Ratel C4 payloads – Part 2

Securonix

Keypoints

  • The article analyzes a Brute Ratel C4 agent and its sequence of commands beyond the initial payload, including impersonation and privilege adjustments.
  • It details a full process-injection chain: opening a target process, allocating memory, writing shellcode, changing memory protections, and creating a thread to run it.
  • Credential and token workflows are shown, including impersonation of a logged-on user and privilege elevation (SeDebugPrivilege) to spawn new processes.
  • Extensive discovery and reconnaissance are described, such as enumerating processes, locating specific system processes, querying domain controllers, and extracting service and user information.
  • Command-and-control (C2) communication is implemented via pipes and a TCP listener, with data exfiltration to a C2 server and responses flowing back via pipes.
  • The analysis covers screen capture and data exfiltration using GDI+/shellcode, as well as clipboard data extraction and other data-gathering actions.

MITRE Techniques

  • [T1134] Access Token Manipulation – Impersonates a user and creates processes with that token. ‘OpenProcessToken is utilized to open the access token associated with the process (0x28 = TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY)’
  • [T1055] Process Injection – Shellcode injection into a remote process via OpenProcess, VirtualAllocEx, WriteProcessMemory, VirtualProtectEx, and CreateRemoteThread (‘The badger opens the target process using OpenProcess (0x1F0FFF = PROCESS_ALL_ACCESS)’)
  • [T1012] Query Registry – Extract registry keys and values (‘RegOpenKeyExA’ and related registry enumeration functions are used to read registry data)
  • [T1057] Process Discovery – Enumerates running processes via Process32FirstW/Process32NextW (‘The running processes are enumerated using the Process32FirstW and Process32NextW functions’)
  • [T1033] Account Discovery – Retrieves user account information from tokens (‘For each of the access token extracted from the processes, the executable calls the GetTokenInformation function and retrieves the user account of the token’)
  • [T1113] Screen Capture – Takes screenshots using GDI+ and BitBlt (‘BitBlt method is used to capture the image’; ‘GdiplusStartup initializes Windows GDI+’)
  • [T1115] Clipboard Data – Extracts clipboard data (‘The process opens the clipboard by calling the OpenClipboard method’; ‘Clipboard data retrieved in Unicode format’)
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates data to the C2 server (‘The content is exfiltrated to the C2 server, and the server’s response is written back to the pipe’)
  • [T1106] Native API – Uses Windows native APIs to perform operations (‘The binary retrieves a pseudo handle for the current process using GetCurrentProcess’)
  • [T1562.001] Impair Defenses – Locks the workstation display (‘LockWorkStation is utilized to lock the display’)
  • [T1112] Clipboard Data (additional) – Reads and processes clipboard contents (‘Extract data from the clipboard’ with Unicode data)
  • [T1059.003] Windows Command Shell – Executes commands via RunAs/open operations as part of credential usage (‘Execute the “open”, “runas”, or “print” command’ mention)

Indicators of Compromise

  • [Hash] d71dc7ba8523947e08c6eec43a726fe75aed248dfd3a7c4f6537224e9ed05f6f – Payload SHA256 hash for the Brute Ratel agent described in the article
  • [IP] 45.77.172.28 – C2 server address referenced in the article
  • [User-Agent] [email protected] – User-agent value observed in the article’s context

Read more: https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint