Threat Research

A Deep Dive into Brute Ratel C4 payloads

Securonix

Keypoints

  • Brute Ratel C4 is positioned as an alternative to Cobalt Strike for Red Team operations.
  • The payload uses an API hashing technique and a configuration that includes C2 IP, user-agent, a password, and an encryption key; newer versions encrypt and Base64-encode the config.
  • The badger injects code by allocating memory with VirtualAllocEx, then loads a DLL into the current process via LoadLibraryA and resolves functions with GetProcAddress, followed by creating a remote thread to execute the DLL.
  • Network communication with the C2 is performed over HTTP, including a POST to /content.php, using InternetConnectW/HttpOpenRequestW/HttpSendRequestW, with a Deloitte China user-agent hint.
  • The JSON payload is constructed with system details, then XOR-encrypted (key from config) and Base64-encoded before exfiltration to the C2 via HTTP.
  • The analysis notes the use of FakeNet-NG to simulate C2 traffic and that the sample includes a DLL export function named “badger_http_1.”

MITRE Techniques

  • [T1055] Process Injection – The malicious binary allocates memory for a DLL and loads it into the process, then executes it via a new thread. Quote: ‘The malicious binary allocates new memory for another DLL that implements the main functionality using VirtualAlloc’.
  • [T1071.001] Web Protocols – C2 communications occur over HTTP with specific HTTP requests and ports. Quote: ‘The process connects to the C2 server on port 80 by calling the InternetConnectW function’ and ‘creates a POST request to the “/content.php” resource using HttpOpenRequestW’.
  • [T1027] Obfuscated/Compressed Files and Information – The configuration handling includes clear-text storage that later becomes encrypted and Base64-encoded. Quote: ‘The Brute Ratel C4 configuration is stored in clear text however, in recent versions, the config is encrypted and Base64-encoded.’
  • [T1132] Data Encoding – Data (including the JSON) is Base64-encoded after XOR encryption. Quote: ‘The JSON is encrypted using the XOR operator (key = “abcd@123” from configuration) and transformed by other operations’.
  • [T1564] Hide Artifacts – The malware detaches from the console to avoid user interaction. Quote: ‘The FreeConsole method is used to detach the process from its console:’

Indicators of Compromise

  • [SHA256] malware sample – d71dc7ba8523947e08c6eec43a726fe75aed248dfd3a7c4f6537224e9ed05f6f
  • [IPv4] C2 server – 45.77.172.28
  • [HTTP User-Agent] C2 connection indicator – [email protected]
  • [File] DLL export function – badger_http_1
  • [Port] C2 HTTP port – 80

Read more: https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint