Threat researchers reverse-engineered Brute Ratel C4 (BRC4) and its Badger agents, building a defender-focused analysis and an Atomic-C2 simulator to test detections. The study maps BRC4 behaviors to MITRE techniques, highlighting an ISO-based initial access chain, memory-loaded shellcode, and a suite of analytics and playbooks to help defenders identify and respond to this adversary simulation framework.
Keypoints
- STRT used public research to capture Brute Ratel Badger samples and created a VirusTotal search rule to identify more samples.
- An ISO-delivery and DLL side-loading chain delivers the BRC4 DLL agent via onedrive_fotos.exe loading version.dll/versions.dll (initial access vector: DLL Side-Loading).
- The initial shellcode runs in memory using EnumChildWindows and NtCreateThreadEx to load the BRC4 agent on the stack.
- BRC4 capabilities include Windows API abuse, privilege token manipulation (SeDebugPrivilege, Duplicate Token), and evasion techniques such as patching ETW/AMSI.
- PPID spoofing, ARP/DNS discovery, and extensive host recon/evasion capabilities are used to blend with legitimate activity.
- STRT built Atomic-C2 to simulate Brute Ratel techniques for detections, and developed a Splunk analytic story with 17 detections across 10 MITRE techniques.
- Several Splunk SOAR playbooks (e.g., Delete Detected Files, Internal WinRM Investigate, Block Indicators) integrate detections into response workflows.
MITRE Techniques
- [T1574.002] DLL Side-Loading – The initial access vector leverages the DLL Side-Loading technique (T1574.002) to obtain code execution on the victim host. Quote: “This initial access vector leverages the DLL Side-Loading technique (T1574.002) to obtain code execution on the victim host.”
- [T1055] Process Injection – The BRC4 DLL agent uses process injection techniques (QAPC, CreateRemoteThread, and CreateSection Techniques) to execute code within other processes. Quote: “Process Injection (QAPC, CreateRemoteThread, and CreateSection Techniques)”.
- [T1115] Clipboard Data – The BRC4 agent parses clipboard data via Windows APIs to exfiltrate or reuse clipboard contents. Quote: “Parse Clipboard Data” and related code using OpenClipboard and GetClipboardData.
- [T1016] System Network Configuration Discovery – The malware enumerates network-related data, including DNS cache data. Quote: “Retrieve DNS CACHE RECORD” and usage of DnsGetcacheDataTable to parse DNS cache.
- [T1134] Access Token Manipulation – SeDebugPrivilege – Adversaries abuse the SeDebugPrivilege to elevate process access and inject code or dump processes. Quote: “SeDebugPrivilege” and description about privilege token abuse.
- [T1134] Access Token Manipulation – Duplicate Token – The malware duplicates tokens to create new processes with elevated privileges. Quote: “Duplicate Token” and related description.
- [T1562.001] Impair Defenses: Patch ETWEventWrite – The DLL agent patches ETW to evade event tracing (and AMSI). Quote: “Patch ETWEventWrite API with ‘0xC3’ opcode…”
- [T1036] Masquerading – Parent Process ID Spoofing – The BRC4 agent spoofs the parent process ID to evade detections based on process lineage. Quote: “Parent Process ID Spoofing” and description of the spoofing technique.
- [T1012] Query Registry – Enumerating registries – The module enumerates registries as part of its discovery. Quote: “Enumerate Registries”.
- [T1082] System Information Discovery – Get system information – The malware gathers system information as part of reconnaissance. Quote: “Get system information”.
- [T1113] Screen Capture – Takes screenshots of the target desktop – Quote: “Taking windows desktop screenshot”.
- [T1059] Command and Scripting Interpreter – Windows Command Shell usage via RUNAS – Quote: “Execute shell command (‘RUNAS’)”.
Indicators of Compromise
- [File Name] context – fotos.iso, onedrive_fotos.exe, version.dll, and versions.dll