IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Russia-linked state-sponsored hackers launch fresh attacks by abusing latest red team tool

Researchers said the new tool has evaded the detection of many leading security products and is quickly growing in popularity

Security researchers have discovered hackers abusing the latest penetration testing tool in active attacks on global targets.

Unit 42 experts said that a malicious payload associated with the Brute Ratel C4 (BRc4) red teaming tool goes undetected by many major security products and has been sued against organisations in North and South America.

The packaging of the malicious payload is consistent with the tactics deployed by advanced persistent threat group 29 (APT29) - otherwise known as ‘Cozy Bear’ - a Russian-linked state-sponsored hacking group known for the notorious SolarWinds attack in 2020

The BRc4 tool has been around since 2020 with India-based security engineer Chetan Nayak, who previously worked for red teams at leading western security vendors, recently commercialising the product. 

Nayak has said the pentesting tool was built after reverse-engineering several major security products, while Unit 42 said BRc4 is newer but no less capable than the more commonly abused Cobalt Strike.

“Overall, we believe this research is significant in that it identifies not only a new red team capability that is largely undetectable by most cyber security vendors, but more importantly, a capability with a growing user base that we assess is now leveraging nation-state deployment techniques,” Unit 42 said.

“We encourage all security vendors to create protections to detect activity from this tool and all organisations to be on alert for activity from this tool.”

After first being uploaded to VirusTotal in May 2022, the malicious payload slipped under the detection of 56 different security vendors that evaluated it, assigning it ‘benign’ status, Unit 42 said, showing how effective Nayak’s reverse engineering efforts have been.

Method of delivery

The malicious file is packaged up as a self-contained, benign ISO file and included in the ISO is the lure file - a Windows shortcut (LNK) file masquerading as a Word document, complete with a fake word doc file icon, and seemingly being a CV for a Roshan Bandara.

This is the actual malicious file, hidden inside the ISO which slipped through security vendors’ detections. It appears on a user’s hard drive after the ISO is double-clicked and mounted as a Windows drive. When the lure file is opened-clicked, BRc4 would be installed.

Related Resource

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Whitepaper cover with title on shaded pink/purple backgroundFree Download

This file is typically sent to victims through spear-phishing campaigns or downloaded to the victim by a second-stage downloader, Unit 42 said.

“While we lack insight into how this particular payload was delivered to a target environment, we observed connection attempts to the C2 server originating from three Sri Lankan IP addresses between May 19-20,” said the researchers.

In the same folder where the lure file is stored, other archived .exe and .dll files are present but hidden to most Windows users thanks to the operating system’s (OS) default configuration.

Flowchart showing the infection chain of BRc4

Unit 42

BRc4’s capabilities

Once installed, BRc4 advertises itself as having a broad range of capabilities. These were designed for legitimate use in red team-blue team exercises, but like Cobalt Strike, the powerful tools are often abused by black hat hackers in malicious cyber attacks.

Some of the tool’s capabilities include:

  • SMB and TCP payloads provide the functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams, and more
  • Ability to keep memory artefacts hidden from EDRs and AV
  • Take screenshots
  • x64 shellcode loader
  • Reflective and object file loader
  • Patching Anti Malware Scan Interface (AMSI)
  • Create Windows system services
  • Upload and download files

Unit 42 also said the C2 infrastructure used by the threat actors abusing BRc4 is consistent with the methods used by APT29, using popular cloud storage and collaboration platforms.

The sample analysed by the researchers found the payload ‘calling home’ to an AWS-registered IP address located in the US over port 443. The X.509 certificate on the listening port was also self-signed and set up to impersonate a Microsoft security team.

A Ukrainian IP address was also used to administer the C2 infrastructure, and researchers believed that the attackers harnessed a residential network for this.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
UK water supplier confirms hack by Cl0p ransomware gang

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022