Threat Research

When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors

Securonix

Unit 42 analyzes Brute Ratel C4 (BRc4) activity tied to a Roshan_CV ISO, showing how a red-teaming tool can evade modern defenses and operate with nation-state-like tradecraft. The post covers the tool’s packaging, delivery via a LNK lure, in-memory execution, C2 infrastructure, and IoCs, highlighting its growing use by malicious actors. #BruteRatelC4 #BRc4

Keypoints

  • BRc4 is designed to evade endpoint detection and antivirus capabilities, achieving low detection across vendors on VirusTotal.
  • The Roshan_CV.iso lure demonstrates packaging and delivery techniques similar to APT29 tradecraft, including LNK lures and legitimate binaries used to load malicious payloads.
  • Version.dll is a modified Microsoft file proxied by vresion.dll, enabling in-memory execution and DLL injection into Runtimebroker.exe.
  • The decrypted payload is a shellcode-based loader that constructs Brute Ratel C4 in memory and communicates with a C2 server at an AWS IP over port 443.
  • C2 infrastructure includes at least 41 known malicious IPs and self-signed certificates impersonating Microsoft Security.
  • BRc4 samples, including badger_x64.exe, show the same in-memory core with “Badger” terminology and similar configuration data patterns, reinforcing BRc4 attribution.
  • Palo Alto Networks urges protections across Threat Prevention, Cortex XDR, and WildFire, and notes broad criminal adoption alongside legitimate red-teaming use.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – The delivery of packaged ISO files is typically sent via spear phishing email campaigns or downloaded to the victim by a second-stage downloader. “The delivery of packaged ISO files is typically sent via spear phishing email campaigns or downloaded to the victim by a second-stage downloader.”
  • [T1059.003] Windows Command Shell – Command and Scripting Interpreter – cmd.exe is launched with parameters to start OneDriveUpdater.exe, enabling chained execution. “cmd.exe is launched with the parameters of: /c start OneDriveUpdater.exe.”
  • [T1574.001] DLL Search Order Hijacking – DLL Search Order Hijacking – The packaging and DLL proxying rely on hijacking the DLL load order. “through a technique known as DLL search order hijacking.”
  • [T1055] Process Injection – Process Injection – The technique uses Windows NTAPI-driven process injection to load payloads into Runtimebroker.exe. “The technique outlined above uses process injection via undocumented Windows NTAPI calls.”
  • [T1218] Signed Binary Proxy Execution – Signed Binary Proxy Execution – The actors load and proxy calls through legitimate signed binaries (version.dll/vresion.dll) to run the payload. “legitimate digitally signed Microsoft version.dll … proxied to vresion.dll.”
  • [T1071.001] Web Protocols – C2 over HTTPS/Web Protocols – BRc4 communicates with a remote C2 over TLS/HTTPS, including HTTP POSTs to the BRc4 listener. “Once the SSL handshake to IP 174.129.157[.]251 is complete, the following data is sent via HTTP POST to the Brute Ratel C4 listener port.”
  • [T1113] Screen Capture – Take Screenshots – BRc4 capabilities include taking screenshots as part of discovery/collection. “Take screenshots.”
  • [T1021.001] Remote Services – SMB/WinRM/RPC – BRc4 supports multiple C2 channels and remote pivot options (SMB, TCP, WMI, WinRM, RPC). “Multiple command and control channels – multiple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.”
  • [T1046] Network Service Discovery – Port Scanning – The tool performs a port scan as part of network discovery. “Port scan.”

Indicators of Compromise

  • [File Hash] Roshan_CV.iso – 1FC7B0E1054D54CE8F1DE0CC95976081C7A85C7926C03172A3DDAA672690042C
  • [File Hash] Badger_x64.exe – 3AD53495851BAFC48CAF6D2227A434CA2E0BEF9AB3BD40ABFE4EA8F318D37BBE
  • [Kernel Module Hash] X64 Brute Ratel C4 Windows Kernel Module – 31ACF37D180AB9AFBCF6A4EC5D29C3E19C947641A2D9CE3CE56D71C1F576C069
  • [X.509 Cert SHA1s] – 55684a30a47476fce5b42cbd59add4b0fbc776a3 and 66aab897e33b3e4d940c51eba8d07f5605d5b275
  • [IP Addresses] – 174.129.157.251, 159.65.186.50 (C2/hosting evidence); other IOCs include 213.200.56.105 (likely attacker/admin IP) and a broader set of infrastructure listed.
  • [Domain] – ds.windowsupdate.eu.org
  • [File Name] – Roshan_CV.ISO, Roshan_Bandara_CV_Dialog.LNK, OneDriveUpdater.exe, Version.dll, vresion.dll, OneDrive.Update
  • [Other] – Malicious Encrypted Payloads: B5D1D3C1AEC2F2EF06E7D0B7996BC45DF4744934BD66266A6EBB02D70E35236E

Read more: https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/