How to detect Brute Ratel activities
Brute Ratel (BRc4) is a Command and Control (C2) framework designed to help attackers evade defence systems and remain undetected while executing malicious commands. Used in simulations of real-world attacks, this tool helps red team members deploy badgers on remote hosts. Badgers are similar to Cobalt Strike beacons and connect attackers to a remote command and control server, providing them with remote code execution capabilities.
The current version of Brute Ratel allows users to create command-and-control channels using legitimate tools such as Microsoft Teams, Slack and Discord. It also uses undocumented syscalls instead of standard Windows API calls to avoid detection, and injects shellcode into running processes. BRc4 includes a debugger capable of detecting and bypassing EDR hooks and detections, as well as an easy-to-use visual interface to assist with LDAP queries across domains.
Similar to what I did in a previous post focusing on the Sliver framework, I try to outline a multi-layered approach to detecting malicious activity related to this tool, focusing on use of endpoint detection and response (EDR) tools, network traffic analysis, and file system monitoring.
Network Traffic Analysis
The detection of Brute Ratel traffic patterns is not easy, because the framework allows attackers to hide malicious traffic into communications with legitimate tools such as Microsoft Teams, Slack and Discord.
However, in this article the security firm YOROI suggests using the following Yara rule:
rule brute_ratel
{
meta:
author = "Yoroi Malware ZLab"
description = "Rule for BruteRatel Badger"
last_updated = "2023-02-15"
tlp = "WHITE"
category = "informational"
strings:
$1 = {8079ffcc74584585c075044883e920448a094180f9e9740a448a41034180f8e97507ffc24531c0ebd731c04180f94c752f8079018b7529807902d175214180f8b8751b8079060075170fb64105c1e0084189c00fb641044409c001d0eb0231c0c3} // Checks Breakpoint (DLL)
$2 = {565389d34883ec2885db74644889cee8????????31c9ba????????4989c0e8????????448d430165488b142530000000488b5260488b4a30ba08000000ffd04885f6741c4885c0742731d20f1f4400000fb60c16880c104883c2014839d375f04883c4285b5ec3} // Shellcode
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0x00E8 or uint16(0) == 0x8348) and ($1 or $2)
}
File System Monitoring
According to article by Unit42 and Splunk, recent campaigns using Brutal Rater have exploited fake Microsoft OneDrive installers encapsulated in .iso files to minimise detection by antivirus software.
This information can be used to create a hash list of possible files associated with payload implantation attempts:
| SHA |
|---|
| 1FC7B0E1054D54CE8F1DE0CC95976081C7A85C7926C03172A3DDAA672690042C |
| 31ACF37D180AB9AFBCF6A4EC5D29C3E19C947641A2D9CE3CE56D71C1F576C069 |
| F58AE9193802E9BAF17E6B59E3FDBE3E9319C5D27726D60802E3E82D30D14D46 |
| 3ED21A4BFCF9838E06AD3058D13D5C28026C17DC996953A22A00F0609B0DF3B9 |
| 3AD53495851BAFC48CAF6D2227A434CA2E0BEF9AB3BD40ABFE4EA8F318D37BBE |
| 973F573CAB683636D9A70B8891263F59E2F02201FFB4DD2E9D7ECBB1521DA03E |
| DD8652E2DCFE3F1A72631B3A9585736FBE77FFABEE4098F6B3C48E1469BF27AA |
| E1A9B35CF1378FDA12310F0920C5C53AD461858B3CB575697EA125DFEE829611 |
| EF9B60AA0E4179C16A9AC441E0A21DC3A1C3DC04B100EE487EABF5C5B1F571A6 |
| D71DC7BA8523947E08C6EEC43A726FE75AED248DFD3A7C4F6537224E9ED05F6F |
| 5887C4646E032E015AA186C5970E8F07D3ED1DE8DBFA298BA4522C89E547419B |
| EA2876E9175410B6F6719F80EE44B9553960758C7D0F7BED73C0FE9A78D8E669 |
| B5D1D3C1AEC2F2EF06E7D0B7996BC45DF4744934BD66266A6EBB02D70E35236E |
| 55684a30a47476fce5b42cbd59add4b0fbc776a3 |
| 66aab897e33b3e4d940c51eba8d07f5605d5b275 |
| b5378730c64f68d64aa1b15cb79088c9c6cb7373fcb7106812ffee4f8a7c1df7 |
| cab0da87966e3c0994f4e46f30fe73624528d69f8a1c3b8a1857962e231a082b |
| 392768ecec932cd22511a11cdbe04d181df749feccd4cb40b90a74a7fdf1e152 |
| e549d528fee40208df2dd911c2d96b29d02df7bef9b30c93285f4a2f3e1ad5b0 |
| a8f50e28989e21695d76f0b9ac23e14e1f8ae875ed42d98eaa427b14a7f87cd6 |
| 025ef5e92fecf3fa118bd96ad3aff3f88e2629594c6a7a274b703009619245b6 |
| 086dc27a896e154adf94e8c04b538fc146623b224d62bf019224830e39f4d51d |
| 17decce71404a0ad4b402d030cb91c6fd5bca45271f8bf19e796757e85f70e48 |
| 17e4989ff7585915ec4342cbaf2c8a06f5518d7ba0022fd1d97b971c511f9bde |
| 200955354545ef1309eb6d9ec65a917b08479f28362e7c42a718ebe8431bb15d |
| 221e81540e290017c45414a728783cb62f79d9f63f2547490ec2792381600232 |
| 25e7a8da631f3a5dfeec99ca038b3b480658add98719ee853633422a3a40247d |
| 28a4e9f569fd5223bffe355e685ee137281e0e86cae3cc1e3267db4c7b2f3bcd |
| 2ddc77de26637a6d759e5b080864851b731fdb11075485980ece20d8f197104c |
| 31fe821e4fac6380701428e01f5c39c6f316b6b58faff239d8432e821a79d151 |
| 331952c93954bd263747243a0395441d0fae2b6d5b8ceb19f3ddb786b83f0731 |
| 34c1d162bf17cdb41c2c5d220b66202a85f5338b15019e26dcab1a81f12fc451 |
| 38b3b10f2ddeecda0db029dacc6363275c4cdf18cc62be3cc57b79647d517a44 |
| 3a946cba2ba38a2c6158fa50beee20d2d75d595acc27ea51a39a37c121082596 |
| 3baace2a575083a7031af7e9e13ff8ed46659f0b25ce54abe73db844acfad11a |
| 3f63fbc43fc44e6bf9c363e8c17164aeb05a515229e2111a2371d4321dcde787 |
| 4766553ce5ff67a2e28b1ee1b5322e005b85b26e21230ffba9622e7c83ed0917 |
| 4e5d89844135dca1d9899a8eedfbabc09bcb0fb5c5c14c29f7df5a58d7cf16d4 |
| 4f88738e04447344100bb9532c239032b86e71d8037ccb121e2959f37fff53cf |
| 54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d |
| 56ced937d0b868a2005692850cea467375778a147288ac404748c2dea9c17277 |
| 5f4782a34368bb661f413f33e2d1fb9f237b7f9637f2c0c21dc752316b02350c |
| 6021d5500fdea0664a91bdd85b98657817083ece6e2975362791c603d7a197c7 |
| 62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967 |
| 62e88163b51387b160e9c7ea1d74f0f80c52fc32c997aa595d53cbc2c3b6caf4 |
| 64a95de2783a97160bac6914ee07a42cdd154a0e33abc3b1b62c7bafdce24c0c |
| 6a85451644a2c6510d23a1ab5610c85a38107b3b3a00238f7b93e2ce6d1ba549 |
| 6ade03a82d8bb884cae26c6db31cf539bec66861fc689cf1c752073fb79740c5 |
| 6fdd81e31f2bec2bdda594974068a69e911219d811c8de4466d7a059dd3183a3 |
| 74c00f303b87b23dffb59718187ff95c9d4d8497c61a64501166ac5dbed84b9f |
| 7757a76ca945f33f3220ad2b2aa897f3e63c47f08e1b7d62d502937ba90360a7 |
| 7824197ad3b9c0981a1cdabf82940ac7733d232442bd31d195783a4e731845d2 |
| 79e232b2a08a2960a493e74ab7cba3e82c8167acc030a5ca8d080d0027a587fe |
| 7fe1ff03e8f5678d280f7fd459a36444b6d816b2031e37867e4e36b689eccd33 |
| 83b336deca35441fa745cd80a7df7448ce24c09dd2a36569332ae0e4771f36a6 |
| 88249de22cefaf15f7c45b155703980fb09eb8e06b852f9d4a7c82126776ee7e |
| 8b8f7e8030e2ba234a33bc8a2fa3ccb5912029d660e03ed40413d949142b98fe |
| 8d979a1627dea58e9b86f393338df6aabfd762937e25e39f1d325fce06cf5338 |
| 8dd3faf0248890e8c3efb40b800f892989204ba3125986690669f0a914f26c5d |
| 9521f51e42b8e31d82b06de6e15dbf9a1fa1bbff62cf6bc68c0b9e8fd1f8b2c5 |
| 97a00056c459a7ce38ad8029413bf8f1691d4ae81e90f0d346d54c91dd02a511 |
| 991f883556357a3b961c31e2b72f6246b52b27a5c45b72914abc61c5b5960cc3 |
| 9f06583bd4b8c4aefc470ef582ff685cd3d03b404e67ce8bf9dbbd5828c90c43 |
| a0c3da2ebf94f6671537a80d26b3288f8fcdf845fe2780ef81fd9da48c0162bf |
| a8759ef55fed4a9410cc152df9ef330a95f776619901054715ed4721a414d15c |
| a8cc14bd56aa4a2da40717cb3f11ecb6aff4e0797a9cebcff51461db19eaf580 |
| ae38ec0ddc58424bf6de8858c82c4c6902fc947604943d58d8cbca00991c7f7d |
| aeb82788aad8bdee4c905559c4636536fb54c40fdc77b27ba4308b6a0f24bedf |
| bdd028922220ff92acb8530c894e2705743a968a8159fe955c1057736c7e1ebd |
| c3cc43492d005b25fc2cc66f82a550420bb4c48b5aae0a77f1ccef0603a3e47c |
| c4f40e2eb029ef11be4ac43ccc6895af6fb6dabd3a5bcc02f29afb9553da625c |
| c6aa2c54eee52f99a911dadfbf155372bd9f43fb9f923500b0b374799204d7a3 |
| c6e2562a2ae399a851b0e5bfb92011e9f97ab45fa536a61eb89b3aee062461f7 |
| ca2b9a0fe3992477d4c87a6e2a75faaac9ea0f3828d054cb44371b3068b76ba5 |
| cdc5e05843cf1904e145dad3ae6c058b92b1bc3cbffffc217884b7cc382172a1 |
| cee890a9e7ab521125372c13b71fc154ef5332d333fe43798303b198e9314dcd |
| d90beab9a3986c26922e4107dccb0b725b8b0eea398f2aeb8848cbe25c3becee |
| db987749ef4a58c6a592a33221770d23adcb2efce4a5504aabc73d61cd356616 |
| dc9757c9aa3aff76d86f9f23a3d20a817e48ca3d7294307cc67477177af5c0d4 |
| dcb986e45f1cf38794acec5e7f576a8dff6fbec66e6a09e3cc92596c796ad0d3 |
| e400a196e7128a3cf40085629db8f26b73b6980be7df3da60928a4a062bc85cb |
| e491d06e3a556c79e922274af04c1786a957775ba2d5d0b02d13bdee91bf5ce4 |
| ea6d9ff8f768fc0132f9f543d9546744d04f9f83e2241950f63f60b520b9ece0 |
| ead189bb18ee839db3d221701e208c4d2845c232cec66764bb3ea6c688ca18e8 |
| ee035537c3b8fc54ca2e1fa98c18e2fb0e203d863005c878bc8ceaa690a6689f |
| ee53521e7d8b2b05fef77877440738ee169f3b75228931f9aaf96621a2f64c25 |
| eef36bc6f208abd46541bac1b1de18bb3a69057b1a54e67d71d259cc0f1bef5b |
| f59fe0945f97df4e3d2efc9b31d00602fc5a16e05453e0d853e275cadb63a057 |
| f875e68899afe172394176fa9cabededeaa19ad6816a90746bb630c064c69e6a |
| fdeb6a6aaee94fe204fb986f6d78e64a9086c5f64e315d8c5e90b590f0007af8 |
Endpoint Detection and Response (EDR) Tools
Using EDR tools it is possible to detect Brute Ratel activity by monitoring for specific behaviors, such as the use of specific network connections.
Using information provided by Uni42, Yoroi and Splunk it is possible to create a list of network indicator useful to spot malicious activities performed with the framework:
| IP/Domain |
|---|
| 104.6.92[.]229 |
| 137.184.199[.]17 |
| 138.68.50[.]218 |
| 138.68.58[.]43 |
| 139.162.195[.]169 |
| 139.180.187[.]179 |
| 147.182.247[.]103 |
| 149.154.100[.]151 |
| 15.206.84[.]52 |
| 159.223.49[.]16 |
| 159.65.186[.]50 |
| 162.216.240[.]61 |
| 172.105.102[.]247 |
| 172.81.62[.]82 |
| 174.129.157[.]251 |
| 178.79.143[.]149 |
| 178.79.168[.]110 |
| 178.79.172[.]35 |
| 18.133.26[.]247 |
| 18.130.233[.]249 |
| 18.217.179[.]8 |
| 18.236.92[.]31 |
| 185.138.164[.]112 |
| 194.29.186[.]67 |
| 194.87.70[.]14 |
| 213.168.249[.]232 |
| 3.110.56[.]219 |
| 3.133.7[.]69 |
| 31.184.198[.]83 |
| 34.195.122[.]225 |
| 34.243.172[.]90 |
| 35.170.243[.]216 |
| 45.144.225[.]3 |
| 45.76.155[.]71 |
| 45.79.36[.]192 |
| 52.48.51[.]67 |
| 52.90.228[.]203 |
| 54.229.102[.]30 |
| 54.90.137[.]213 |
| 89.100.107[.]65 |
| 92.255.85[.]173 |
| 92.255.85[.]44 |
| 94.130.130[.]43 |
| ds.windowsupdate.eu[.]org |