July 5, 2022
Cybersecurity product manufacturers are being urged to adapt their applications to detect abuse of a new commercial attack simulation tool being used by threat actors.
The warning, issued today by researchers at Palo Alto Networks’ Unit 42 threat intelligence service, also urges IT and cybersecurity defenders in organizations to watch out for signs of malware that include the Brute Ratel C4 (BRc4) tool.
BRc4, sold by a firm called Dark Vortex, is similar to the legitimate commercial Cobalt Strike attack simulation tool sold to IT departments for testing defences and training staff. For several years, attackers have been using illegal copies of Cobalt Strike to help in their attacks by scanning victims’ networks. Now attackers are taking advantage of BRc4.
Unit 42 researchers said that in May, someone uploaded a file that included a payload associated with BRc4 to the VirusTotal website for checking. VirusTotal is a tool used by security researchers to identify possible nasty code using antimalware scanners from 56 companies. However, Unit 42 says, this particular piece of malware was passed by all scanners.
What makes BRc4 “uniquely dangerous,” says Unit 42, is that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) scanners.
The malware sample Unit 42 looked at called home over port 443 to an Amazon Web Services (AWS) IP address located in the United States, the report says. The X.509 verification certificate on the listening port was configured to impersonate Microsoft, with an organization name of “Microsoft” and organization unit of “Security.”
Pivoting on the certificate and other artifacts, researchers identified 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far, the report says.
The report doesn’t say how the malware Unit 42 looked at is being distributed — as an email attachment or a file uploaded after compromising a vulnerable application or device, or another mechanism.
The malware sample Unit 42 looked at was packaged as a self-contained ISO file. Included was a Windows shortcut (LNK) file, a malicious payload DLL and a legitimate copy of Microsoft OneDrive Updater. Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking, says the report.
“These techniques demonstrate that users of the tool are now applying nation-state tradecraft to deploy BRc4,” the report says.
