Brute Ratel C4 (BRC4) is an advanced red-teaming tool which became available in December 2020. The tool was developed by ex-Mandiant and Crowdstrike red teamer, Chetan Nayak. BRC4’s major differentiator to other red team tools, is its ability to evade detection from Endpoint Detection & Response (EDR) and Antivirus (AV) software. BRC4 can leverage undocumented syscalls in place of standard Windows API calls to avoid detection and inject shellcode into already running processes. BRC4 features a debugger that recognizes EDR hooks and prevents triggering their detection, as well as a visual interface for LDAP queries across domains.
On May 19th, 2022, a sample containing a malicious payload associated with BRC4 was uploaded to VirusTotal. VirusTotal did not interpret the sample as malicious.
Like Cobalt Strike, BRC4 is used by red teamers to deploy agents, called badgers, on hacked devices and use them to execute commands remotely to spread laterally throughout compromised environments.
On September 13th, 2022, an archive file called “bruteratel_1.2.2.Scandinavian_Defense.tar.gz” was uploaded to VirusTotal. This file contains a valid copy of BRC4. The cracked version of BRC4 is currently being shared for free amongst hackers across common dark web forums.
While Cobalt Strike is still very effective, it’s been heavily abused by hacking groups sharing it online, making it one of the most popular tools for hackers to use in order to spread laterally throughout breached networks. EDR and AV tools are becoming more effective in detecting Cobalt Strike. We’re seeing an influx in use of BRC4 because of its ability to evade EDR and AV tools. In a recent case, QBot distribution led to the deployment of BRC4. This is the first time seeing Brute Ratel as a second-stage payload via QBot in conjunction with Cobalt Strike.