Threat Research

“Efficiently Loading Latrodectus with Brute Ratel C4 Badger – ANY.RUN Cybersecurity Insights”

AnyRun

Brute Ratel C4’s Badger was observed loading Latrodectus into memory through a multi-stage dropper centered on an MSI file, with the loader then decrypting and executing the final payload in memory. The analysis highlights sophisticated EDR evasion (including DLL load callback unlinking, ETW/stack tracing avoidance, and Hell’s Gate-style direct syscalls), in-memory execution, and HTTPS-based C2 with RC4-encrypted data. Hashtags: #BruteRatelC4 #Latrodectus #IcedID #MSI #EDREvasion #HellsGate

Keypoints

  • The Brute Ratel C4 (BRC4) framework is used to load Latrodectus into memory after contacting its C2 servers, demonstrating an in-memory, multi-stage infection chain.
  • Latrodectus is described as a loader suspected to be tied to IcedID, deployed via phishing and an MSI payload that leads to whole-chain execution.
  • The MSI dropper contains an embedded loader (upfilles.dll) found inside disk1.cab; viewer.exe launches rundll32 to run the DLL’s export, initiating the infection chain.
  • Static analysis shows the loader resolving API addresses by hashing the Export Names Table (GetProcAddress, VirtualAlloc, LoadLibraryA) and obfuscating strings (stack string builds).
  • The final payload is decrypted in memory (XOR with a dynamic key) and executed in memory, avoiding disk writes and leaving fewer artifacts.
  • Extensive EDR evasion techniques are used, including unregistration of DLL load callbacks, proxying DLL loads to hide ETW/ETW-related telemetry, and patchless ETW evasion via hardware breakpoints and VEH handling.
  • C2 communications are over HTTPS with RC4-encrypted JSON data; the malware first enumerates system information, then uploads it to hardcoded C2 domains before awaiting commands.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Malicious JavaScript or PDF file used to trick victims into installing a malicious MSI file. ‘phishing email containing a malicious Java script or PDF file used to trick victims into installing a malicious MSI file.’
  • [T1547] Boot or Logon Autostart Execution – MSI files used to execute malicious payloads with elevated privileges. ‘MSI files used to execute malicious payloads with elevated privileges.’
  • [T1027] Obfuscated/Encrypted Files and Information – Use of stack string builds to obfuscate strings like kernel32.dll. ‘stack string builds, which is a common method for obfuscating strings.’
  • [T1106] Native API – Resolution of API addresses by hashing function names and locating GetProcAddress, VirtualAlloc, LoadLibraryA. ‘Walk the ENT (Export Names Table), hash function names, and compare the hashes until a match is found.’
  • [T1055] Process Injection – In-memory payload execution after decryption, including in-memory DLL loading and execution. ‘The final payload is decrypted … then jump to it.’
  • [T1041] Exfiltration Over C2 Channel – Uploading gathered system information to C2 domains (encrypted) over HTTPS. ‘encrypted data is then uploaded to one of the hardcoded C2 domains’ and ‘The gathered information includes …’
  • [T1071.001] Web Protocols – HTTPS-based C2 communications for data exfiltration and command reception. ‘The encrypted data is then uploaded to … C2 domains’ over HTTPS.
  • [T1562] Impair Defenses – Unregister DLL load callbacks to suppress EDR telemetry. ‘To bypass this, a technique is used where an empty callback function is registered…’
  • [T1562] Impair Defenses – Proxying DLL Loads to Hide ETW/ETW I Stack Tracing. ‘This technique creates a clean stack for DLL loading by running the LoadLibraryExA function in a separate thread, hence its own clean stack frame.’
  • [T1564] Hide Artifacts – Patchless ETW evasion via hardware breakpoints and VEH-based exception handling to prevent ETW logging. ‘They set hardware breakpoints at two common functions … registered their own VEH …’
  • [T1105] Ingress Tool Transfer should be avoided here; (Not used).

Indicators of Compromise

  • [Hash] – MSI dropper and related artifacts: b4a482a7e96cfdef632a7af286120156, ccb6d3cb020f56758622911ddd2f1fcb, and 83bca228a6a8f5e6d7c95d2a08494d32
  • [File] – viewer.exe, upfilles.dll, disk1.cab
  • [Domain] – boriz400[.]coms, anikvan[.]com, ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk[.]io, uncertain-kitten-gw.aws-euc1.cloud-ara.tyk[.]io

Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/brute-ratel-c4-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint