"Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool"
In a new campaign, hackers are abandoning the Cobalt Strike post-exploitation toolkit in favor of Brute Ratel C4 (BRc4). BRc4 is the latest upstart in the world of red-team tooling. It is an adversarial attack simulation tool designed for penetration testers, similar to Cobalt Strike. It is a command-and-control (C2) framework that is difficult to detect using endpoint detection and response (EDR) technology or other anti-malware tools. Brute Ratel's free license safeguards were breached by attackers who used the program to launch malicious attack campaigns. The studied sample utilizing BRc4 is allegedly using well-known APT29 tactics, involving popular cloud storage and online collaboration tools. In this instance, the sample was packaged as a self-contained ISO that contained a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater. Attempts to run the benign application from the ISO-mounted folder resulted in the malicious payload being loaded as a dependency via a technique known as DLL search order hijacking. This article continues to discuss the use of the BRc4 penetration testing tool by attackers to evade detection.