Brute Ratel remains rare and targeted, with limited real-world use and far fewer detections than Cobalt Strike. Sophos notes that cracked versions and targeted deployments have kept it from becoming the widespread threat feared, while defenders continue to monitor and block its activity. #BruteRatel #CobaltStrike #Meterpreter #PowerSploit #Sliver
Keypoints
- Brute Ratel has been rarely observed in the wild and is mainly seen in well-resourced, targeted campaigns.
- Public exposure and a 2022 crack did not lead to broad adoption; Sophos telemetry shows very few Brute Ratel detections Sept 2022βMar 2023.
- Cobalt Strike remains far more prevalent, with thousands of detections and incidents during the same period.
- A Polish government cyberespionage campaign reportedly used Brute Ratel alongside Cobalt Strike, prompting updated detections.
- Brute Ratel is a post-exploitation tool requiring initial access (e.g., phishing attachments or exploiting server vulnerabilities) to be effective.
- Detections often arise from generic malware behavior or blocked C2 activities; widespread evasion claims have not been broadly borne out in practice.
MITRE Techniques
- [T1566.001] Phishing β Initial Access via email attachments that install an attack payload when opened. β[email attachments that install an attack payload when opened]β.
- [T1190] Exploit Public-Facing Application β Initial Access via exploiting existing vulnerabilities on an Internet-exposed server. β[existing vulnerabilities on an Internet-exposed server]β.
- [T1021.002] SMB/Windows Admin Shares β Internal Badger-to-Badger communications can be over TCP and the SMB file-sharing protocol. β[Badger-to-Badger communications can be over TCP and the SMB file-sharing protocol]β.
- [T1071.001] Web Protocols β Command and control traffic to the C2 server uses HTTP/HTTPS. β[communications back to the C2 server are over web protocols (HTTP and HTTPS)]β.
- [T1071.004] DNS β DNS over HTTPS (DOH) used in communication with C2. β[DNS over HTTPS (DOH)]β.
- [T1055] Process Injection β The script injected the βbadgerβ implant code into notepad.exe. β[injected the βbadgerβ implant code into notepad.exe]β.
- [T1027] Obfuscated/Compressed Files and Information β The delivery script was highly obfuscated JS. β[highly obfuscated JS which injected the βbadgerβ implant code into notepad.exe]β.
Indicators of Compromise
- [Domain] β prefectrespond.online β example domain used for C2 communications. prefectrespond[.]online/share.php
- [Domain] β instrumentation-database-fc-lows.trycloudflare.com β example domain used for C2 communications. instrumentation-database-fc-lows[.]trycloudflare.com/share[.]php
- [IP Address] β 5.161.100.208 β C2-related activity hosted on a German ISP. 5.161.100.208
- [File] β Temp1_Julie Ramzel_1040_1120s 2019-2021.zip β delivery archive associated with the campaign. Temp1_Julie Ramzel_1040_1120s 2019-2021.zip
- [File] β passwords_Julie Ramzel_1040_1120s 2019-2021.js β obfuscated JS script contained in the ZIP archive. passwords_Julie_Ramzel_1040_1120s_2019-2021.js
Read more: https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/