Anti-virus software is being used by criminals to evade detection and stay undetected, according to a recent report.
A malware sample that was uploaded to the VirusTotal database on May 19, 2022 was found to contain a payload associated with Brute Ratel C4, a relatively new and sophisticated toolkit that was "designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities," according to Palo Alto Networks Unit 42.
Brute Ratel (BRc4) was developed by an Indian security researcher by the name of Chetan Nayak. It is comparable to Cobalt Strike and is referred to as a "customized command-and-control center for red team and adversary simulation."
Late in the year 2020, the first version of the commercial software was made available, and since then, it has amassed over 480 licenses across 350 customers. After the initial year, a license can be renewed for the same number of users at a cost of $2,250 if it was purchased less than a year ago. The initial cost of each license is $2,500.
BRc4 comes equipped with a wide variety of features, some of which include process injection, the automation of adversary TTPs, the capturing of screenshots, the uploading and downloading of files, support for multiple command-and-control channels, and the ability to keep memory artifacts concealed from anti-malware engines. Other features include the ability to upload and download files.
The artifact, which was uploaded from Sri Lanka, pretends to be the curriculum vitae of an individual named Roshan Bandara ("Roshan CV.iso"), but in reality it is an optical disc image file that, when double-clicked, mounts it as a Windows drive containing a seemingly harmless Word document that, upon launching, installs BRc4 on the user's machine and establishes communications with a remote server.
However, it is unclear whether the same method was used to deliver the payload to the target environment as was used to deliver packaged ISO files through spear-phishing email campaigns, which is the typical method for the delivery of packaged ISO files.
Unit 42 researchers Mike Harbison and Peter Renals said that the "composition of the ISO file, Roshan CV.ISO, closely resembles that of other nation-state APT tradecraft." They pointed out similarities to a packaged ISO file that was previously attributed to Russian nation-state actor APT29. "The composition of the ISO file, Roshan CV.ISO," they said, "closely resembles that of other nation-state APT tradecraft" (aka Cozy Bear, The Dukes, or Iron Hemlock).
The year before last, APT29 became well-known after it was determined that the state-sponsored group was responsible for orchestrating a large-scale attack on the SolarWinds supply chain.
The cybersecurity company mentioned that it also discovered a second sample that was uploaded to VirusTotal from Ukraine the following day. This sample displayed code overlaps with those of a module that was in charge of loading BRc4 into memory, and it was uploaded by the company. Since then, the investigation has uncovered seven more BRc4 samples, all of which have a date of origin of February 2021.
That's not the end of it. A number of possible victims have been located through the investigation of the C2 server, which served as a covert channel during the incident. This includes a company based in Mexico that is a major player in the textile industry, a company that operates in Argentina, and an IP television provider that offers content from both North and South America.
According to the researchers, "The emergence of a new capability for adversary emulation and penetration testing is significant." [Citation needed] "The effectiveness of BRc4 in defeating modern defensive EDR and AV detection capabilities is even more alarming,"
Shortly after the results of the investigation were made public, Nayak tweeted that "proper actions have been taken against the found licenses which were sold in the black market." He also stated that BRc4 v1.1 "will change every aspect of IoC found in the previous releases."
Post a Comment
Your suggestions and comments are welcome