Threat Research

Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel – Yoroi

Securonix

Brute Ratel, a Red Team framework, has been abused by attackers including APT29 to conduct cyber intrusions, with methods such as ISO-delivered LNK files used for DLL sideloading of version.dll. The article also details the framework’s technical underpinnings, threat hunting findings, and the importance of evolving Threat Intelligence to detect these adversaries.
#BruteRatel #APT29

Keypoints

  • The abuse of the Brute Ratel framework by attackers (and APT groups) has been observed over the last year.
  • Early campaigns used an ISO containing an LNK file to perform DLL sideloading of a malicious version.dll, a dependency of a legitimate OneDriveUpdtater.exe.
  • A cracked Brute Ratel version appeared, enabling widespread use by criminals and human-operated intrusions alongside Cobalt Strike.
  • The framework uses API hashing (ROT13 in the example) to obscure critical API calls, aiding evasion.
  • Anti-debug and anti-hooking techniques are employed to defeat analysis and tamper-detection during execution.
  • Shellcode is loaded into memory and executed via NtCreateThreadEx, resulting in a final payload with a missing MZ header.
  • The RC4-based configuration is decrypted at runtime using a hardcoded key, revealing endpoints/configuration (including an example config).

MITRE Techniques

  • [T1574.002] DLL Side-Loading – A LNK file is used to perform DLL sideloading of the malicious “version.dll” library. “a LNK file used to perform DLL sideloading of the malicious “version.dll” library, a necessary dependency of the legit Microsoft’s executable “OneDriveUpdtater.exe”.”
  • [T1055] Process Injection – Shellcode is executed via a syscall to NtCreateThreadEx to run the payload. “shellcode is executed with a syscall to NtCreateThreadEx.”
  • [T1027] Obfuscated/Encrypted Files and Information – The configuration is decrypted at runtime using RC4; the key is hardcoded as “mnan#:
  • [T1562] Defense Evasion – Anti-debug and anti-hooking techniques are used to evade analysis: “anti-debug trick” and “anti-hooking trick” to detect breakpoints and tampering of API calls.
  • [T1106] Native API – API hashing to obfuscate the calling of critical API calls; ROT13 used as part of the hashing process. “The API Hashing is one of the most trending techniques adopted by malware writers: … the algorithm used to perform the hashing operation is ROT13.”

Indicators of Compromise

  • [Hash] Hashes retrieved from threat hunting – 025ef5e92fecf3fa118bd96ad3aff3f88e2629594c6a7a274b703009619245b6, 086dc27a896e154adf94e8c04b538fc146623b224d62bf019224830e39f4d51d, and 28 more hashes
  • [File name] BruteRatel_1.2.2.Scandinavian_Defense.tar.gz, version.dll — and 1 more file names
  • [IP] Redacted IP address (used in the Brute Ratel config) — and other IPs referenced in endpoints

Read more: https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/