{"id":8322,"date":"2024-07-24T12:07:19","date_gmt":"2024-07-24T12:07:19","guid":{"rendered":"\/cybersecurity-blog\/?p=8322"},"modified":"2024-07-25T11:49:24","modified_gmt":"2024-07-25T11:49:24","slug":"brute-ratel-c4-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/brute-ratel-c4-analysis\/","title":{"rendered":"Brute Ratel C4 Badger Used to Load Latrodectus"},"content":{"rendered":"\n

Editor’s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on X<\/a> and LinkedIn<\/a>.<\/em><\/p>\n\n\n\n

Brute Ratel C4 (BRC4) is a customized, commercial command and control (C2) framework that was first introduced in December 2020. Its primary use is for conducting adversarial attack simulation, red-team engagements, and penetration tests.<\/p>\n\n\n\n

What sets BRC4 payloads apart from other C2 frameworks like Cobalt Strike<\/a> or Metasploit is their ability to effectively bypass and avoid endpoint detection and response (EDR) solutions. This is due to the extensive research conducted by the developer on these software solutions.<\/p>\n\n\n\n

As you read our investigation and analysis of the BRC4 badger that was spotted loading Latrodectus<\/a> loader into memory after a successful connection to the BRC4 C2 servers, the effectiveness of BRC4 will become clear.<\/p>\n\n\n\n

What\u2019s Latrodectus?  <\/h3>\n\n\n\n

Latrodectus is a recently discovered malware loader that is suspected to be a potential successor to the IcedID malware. Security researchers believe that Latrodectus was developed by the same threat actor group responsible for IcedID<\/a>, due to similarities in development and behavior. Like other malware loaders, Latrodectus is used to deploy additional, more sophisticated malware onto compromised systems.<\/p>\n\n\n\n

Latrodectus was one of the malware targeted in Operation Endgame, a law enforcement operation aimed at disrupting cybercriminal activities. However, it seems that the developers behind Latrodectus were able to quickly recover from the temporary disruption caused by the operation and rebuild their infrastructure.<\/p>\n\n\n\n

Latrodectus has been observed to be delivered as part of a multi-stage attack that typically starts with a phishing email containing a malicious Java script or PDF file used to trick victims into installing a malicious MSI file. This MSI file contains an older version of the BRC4 badger, which is the focus of our analysis.<\/p>\n\n\n\n

Initial triage <\/strong> <\/h2>\n\n\n\n

While looking for new malware to investigate, we found an interesting sample<\/a> submitted to ANY.RUN<\/a><\/strong>‘s Public Submissions<\/a><\/em> database. <\/p>\n\n\n

\n
\"\"
The sample in question<\/figcaption><\/figure><\/div>\n\n\n

It was an MSI<\/strong> file, which matched the description above of how the malware is delivered as part of a multi-stage attack that involves a malicious MSI<\/strong>.<\/p>\n\n\n\n\n

\n
\n
About MSI files<\/div>\n <\/div>\n
\n

MSI files are a container file format that utilize the COM structure technology, allowing them to store necessary files for minimal user action. This makes them similar to self-extracting ZIP files, as they can unfold and start executing in a pre-defined order.<\/p>\n

Additionally, the installation procedure for MSI files allows execution with elevated privileges (NT AUTHORITY\\SYSTEM), which means that unprivileged users can execute their malware as SYSTEM. This makes MSI files an attractive deployment method for threat actors.<\/p>\n <\/div>\n<\/div>\n\n\n\n\n