Hacked Version of Brute Ratel Post-Exploitation Tool Is Found Online

hacked version of Brute Ratel
Written by Emma Davis

Information security experts have warned that a hacked version of the red team tool Brute Ratel is being distributed on Russian-speaking and English-speaking hacker forums. If Chitan Nayak, the creator of the toolkit, used to claim that if abuse was detected, he could identify the violator and revoke the license, now this will no longer work.

Chitan Nayak

Chitan Nayak

In 2020, Chitan Nayak, a former red team member in Mandiant and CrowdStrike, created the BRc4 as an alternative to Cobalt Strike. The instruments turned out to be both similar and dissimilar to each other. For example, Cobalt Strike allows deploying “beacons” on compromised devices to remotely monitor the network or execute commands. In turn, Brute Ratel allows to deploy badgers to remote hosts, which are very similar to beacons in Cobalt Strike. Such badgers connect to the attacker’s control server in order to receive commands or transmit the results of already launched commands to operators.

Let me remind you that the first abuses of the Brute Ratel Command and Control Center (Brute Ratel C4 or BRc4) were discovered in the summer of 2022 and later were used by Russian hackers. Since BRc4 is largely focused on evading detection by EDR and antivirus solutions, almost all security products do not detect malware in it. Because of this feature, the researchers called the Brute Ratel “uniquely dangerous.”

Brute Ratel currently costs $2,500 per user for an annual license, and customers are required to provide a work email address and pass verification before obtaining a license. Since the verification is performed manually (although it is not known exactly how), in the summer of 2022, the question arose before the experts, how did the attackers even get a license?

Then Chitan Nayak told Bleeping Computer reporters that the license was leaked by a disgruntled employee of one of his clients. The developer assured that the payloads allow him to see who they belong to, so he was able to identify and promptly revoke the license.

However, even then it was reported that the abuse of Brute Ratel was not an isolated case.

According to information security experts, the Conti ransomware operators generally acquired Brute Ratel licenses, creating special shell American companies for this purpose.

Apparently, now hackers will no longer have to resort to such tricks. The fact is that information security expert Will Thomas, known under the nickname BushidoToken, found that a hacked copy of Brute Ratel (version 1.2.2) has already been circulating among attackers on hacker forums since mid-September.

Now there are several threads [about Brute Ratel] on popular hack forums where data brokers, malware developers, initial access brokers and ransomware partners hang out. This includes BreachForums, CryptBB, RAMP, Exploit[.]in and Xss[.]is, as well as various Telegram and Discord groups.warns Thomas.

hacked version of Brute Ratel

Thomas writes that this version of Brute Ratel does not require a license key to be entered at all, and does not look counterfeit to him or his colleagues at Curated Intel. According to the expert, attackers are already actively sharing screenshots with each other, which show how they are testing the toolkit.

hacked version of Brute Ratel

Chitan Nyak confirmed to reporters that an unhacked version of the toolkit was previously uploaded to VirusTotal, which was then hacked by the Russian-speaking hacker group Molecules to remove the license check.

Alas, this means that in the near future more attackers will start using the Brute Ratel instead of or along with the Cobalt Strike. At the same time, Will Thomas emphasizes that the toolkit is able to generate shellcode, which is currently extremely poorly detected by security solutions.

One of the most important aspects of BRC4 is its ability to generate shellcode that is not detected by many EDR and antivirus products. This extended evasion window can give attackers enough time to establish initial access, start lateral movement, and gain a foothold elsewhere.Thomas explains in his report.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply