Threat Research

Brute Ratel Config Decoding update

Securonix

Brute Ratel’s config decoding update shows that Brute Ratel now uses a dynamic key to decrypt its onboard configuration, though the hardcoded key still exists for decrypting some strings. The article walks through RC4-based encryption, base64 decoding, and two shellcode loading methods used to decrypt and load components in memory. #BruteRatel #BlackBasta #QBot #CobaltStrike #TrendMicro

Keypoints

  • Brute Ratel config decoding uses a dynamic key instead of a single hardcoded key (though the hardcoded key still exists for decrypting some strings on board).
  • The onboard DLL is RC4 encrypted; the RC4 key is the last 8 bytes of the decoded DLL blob.
  • The decoding workflow combines base64 decoding with RC4 decryption to yield the config content.
  • Two loader approaches are described for bringing config/DLL data into memory: a call-over method and a stack-load method.
  • Shellcode includes anti-debugging checks (e.g., NtGlobalFlag) to hinder analysis and debugging.
  • IOCs include specific domain indicators (symantecuptimehost.com, login.offices365.de) and sample hex strings associated with samples.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The encoded onboard DLL is stored RC4 encrypted and uses a last-8-byte key to decrypt. Quote: β€œThe encoded onboard DLL is still stored RC4 encrypted as mentioned in the MDSec blog[3] the key is the last 8 bytes:”
  • [T1140] Deobfuscate/Decode Files or Information – Decoding the config and decrypting the DLL is performed to recover the key. Quote: β€œDecoding the config, then just involves first decrypting the DLL and recovering the key:”
  • [T1132] Data Encoding – The config data involves base64 decoding as part of the decryptor routine. Quote: β€œrc4.decrypt(base64.b64decode(cfg))”
  • [T1562] Impair Defenses – Anti-debugging checks are used to hinder analysis. Quote: β€œThe shellcode stager uses a few Anti Debugging checks such as checking the NtGlobalFlag.”

Indicators of Compromise

  • [Domain] Context – symantecuptimehost.com, login.offices365.de
  • [Hash] Context – 62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967, d79f991d424af636cd6ce69f33347ae6fa15c6b4079ae46e9f9f6cfa25b09bb0

Read more: https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb